<!DOCTYPE html>
<html lang="en-US" class="no-js no-svg">

	<head>
	    <meta charset="UTF-8">
	    <meta name="viewport" content="width=device-width, initial-scale=1">
	    <link rel="profile" href="https://gmpg.org/xfn/11" />
	    <meta name='robots' content='index, follow, max-image-preview:large, max-snippet:-1, max-video-preview:-1' />

	<!-- This site is optimized with the Yoast SEO plugin v19.3 - https://yoast.com/wordpress/plugins/seo/ -->
	<title>Linux Threat Hunting: &#039;Syslogk&#039; a kernel rootkit found under development in the wild - Avast Threat Labs</title>
	<link rel="canonical" href="https://decoded.avast.io/davidalvarez/linux-threat-hunting-syslogk-a-kernel-rootkit-found-under-development-in-the-wild/" />
	<meta property="og:locale" content="en_US" />
	<meta property="og:type" content="article" />
	<meta property="og:title" content="Linux Threat Hunting: &#039;Syslogk&#039; a kernel rootkit found under development in the wild - Avast Threat Labs" />
	<meta property="og:description" content="Introduction Rootkits are dangerous pieces of malware. Once in place, they are usually really hard to detect. Their code is typically more challenging to write than other malware, so developers resort to code reuse from open source projects. As rootkits are very interesting to analyze, we are always looking out for these kinds of samples [&hellip;]" />
	<meta property="og:url" content="https://decoded.avast.io/davidalvarez/linux-threat-hunting-syslogk-a-kernel-rootkit-found-under-development-in-the-wild/" />
	<meta property="og:site_name" content="Avast Threat Labs" />
	<meta property="article:published_time" content="2022-06-13T12:00:35+00:00" />
	<meta property="article:modified_time" content="2022-06-13T12:08:44+00:00" />
	<meta property="og:image" content="https://decoded.avast.io/wp-content/uploads/sites/2/2022/06/GettyImages-1369156753.jpg" />
	<meta property="og:image:width" content="2120" />
	<meta property="og:image:height" content="1414" />
	<meta property="og:image:type" content="image/jpeg" />
	<meta name="author" content="David Álvarez" />
	<meta name="twitter:card" content="summary_large_image" />
	<meta name="twitter:creator" content="@wormable" />
	<meta name="twitter:site" content="@AvastThreatLabs" />
	<meta name="twitter:label1" content="Written by" />
	<meta name="twitter:data1" content="David Álvarez and Jan Neduchal" />
	<meta name="twitter:label2" content="Est. reading time" />
	<meta name="twitter:data2" content="13 minutes" />
	<script type="application/ld+json" class="yoast-schema-graph">{"@context":"https://schema.org","@graph":[{"@type":"Organization","@id":"https://decoded.avast.io/#organization","name":"Avast","url":"https://decoded.avast.io/","sameAs":["https://twitter.com/AvastThreatLabs"],"logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https://decoded.avast.io/#/schema/logo/image/","url":"","contentUrl":"","caption":"Avast"},"image":{"@id":"https://decoded.avast.io/#/schema/logo/image/"}},{"@type":"WebSite","@id":"https://decoded.avast.io/#website","url":"https://decoded.avast.io/","name":"Avast Threat Labs","description":"Uncovering Tactics, Techniques and Procedures of malicious actors","publisher":{"@id":"https://decoded.avast.io/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https://decoded.avast.io/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"ImageObject","inLanguage":"en-US","@id":"https://decoded.avast.io/davidalvarez/linux-threat-hunting-syslogk-a-kernel-rootkit-found-under-development-in-the-wild/#primaryimage","url":"https://decoded.avast.io/wp-content/uploads/sites/2/2022/06/GettyImages-1369156753.jpg","contentUrl":"https://decoded.avast.io/wp-content/uploads/sites/2/2022/06/GettyImages-1369156753.jpg","width":2120,"height":1414,"caption":"Young beautiful female hacker working on computer at night. She is wearing hood."},{"@type":"WebPage","@id":"https://decoded.avast.io/davidalvarez/linux-threat-hunting-syslogk-a-kernel-rootkit-found-under-development-in-the-wild/","url":"https://decoded.avast.io/davidalvarez/linux-threat-hunting-syslogk-a-kernel-rootkit-found-under-development-in-the-wild/","name":"Linux Threat Hunting: 'Syslogk' a kernel rootkit found under development in the wild - Avast Threat Labs","isPartOf":{"@id":"https://decoded.avast.io/#website"},"primaryImageOfPage":{"@id":"https://decoded.avast.io/davidalvarez/linux-threat-hunting-syslogk-a-kernel-rootkit-found-under-development-in-the-wild/#primaryimage"},"datePublished":"2022-06-13T12:00:35+00:00","dateModified":"2022-06-13T12:08:44+00:00","breadcrumb":{"@id":"https://decoded.avast.io/davidalvarez/linux-threat-hunting-syslogk-a-kernel-rootkit-found-under-development-in-the-wild/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https://decoded.avast.io/davidalvarez/linux-threat-hunting-syslogk-a-kernel-rootkit-found-under-development-in-the-wild/"]}]},{"@type":"BreadcrumbList","@id":"https://decoded.avast.io/davidalvarez/linux-threat-hunting-syslogk-a-kernel-rootkit-found-under-development-in-the-wild/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://decoded.avast.io/"},{"@type":"ListItem","position":2,"name":"Linux Threat Hunting: &#8216;Syslogk&#8217; a kernel rootkit found under development in the wild"}]},{"@type":"Article","@id":"https://decoded.avast.io/davidalvarez/linux-threat-hunting-syslogk-a-kernel-rootkit-found-under-development-in-the-wild/#article","isPartOf":{"@id":"https://decoded.avast.io/davidalvarez/linux-threat-hunting-syslogk-a-kernel-rootkit-found-under-development-in-the-wild/"},"author":{"name":"David Álvarez","@id":"https://decoded.avast.io/#/schema/person/aab6ad8789cf538c083be38058e751f5"},"headline":"Linux Threat Hunting: &#8216;Syslogk&#8217; a kernel rootkit found under development in the wild","datePublished":"2022-06-13T12:00:35+00:00","dateModified":"2022-06-13T12:08:44+00:00","mainEntityOfPage":{"@id":"https://decoded.avast.io/davidalvarez/linux-threat-hunting-syslogk-a-kernel-rootkit-found-under-development-in-the-wild/"},"wordCount":2225,"publisher":{"@id":"https://decoded.avast.io/#organization"},"image":{"@id":"https://decoded.avast.io/davidalvarez/linux-threat-hunting-syslogk-a-kernel-rootkit-found-under-development-in-the-wild/#primaryimage"},"thumbnailUrl":"https://decoded.avast.io/wp-content/uploads/sites/2/2022/06/GettyImages-1369156753.jpg","keywords":["analysis","linux","malware","rootkit"],"articleSection":["PC"],"inLanguage":"en-US"},{"@type":"Person","@id":"https://decoded.avast.io/#/schema/person/aab6ad8789cf538c083be38058e751f5","name":"David Álvarez","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https://decoded.avast.io/#/schema/person/image/","url":"https://secure.gravatar.com/avatar/3c81047780afb0c16225be9ec2038a27?s=96&d=mm&r=g","contentUrl":"https://secure.gravatar.com/avatar/3c81047780afb0c16225be9ec2038a27?s=96&d=mm&r=g","caption":"David Álvarez"},"description":"David Álvarez is a senior malware analyst bringing more than 8 years experience in the IT industry and deep knowledge of IoT malware to Avast. He is also author of the book \"Ghidra Software Reverse Engineering for Beginners\".","sameAs":["https://es.linkedin.com/in/davidalvarezperez","https://twitter.com/wormable"],"url":""}]}</script>
	<!-- / Yoast SEO plugin. -->


<link rel='dns-prefetch' href='//fonts.googleapis.com' />
<link rel='dns-prefetch' href='//s.w.org' />
<link rel="alternate" type="application/rss+xml" title="Avast Threat Labs &raquo; Feed" href="https://decoded.avast.io/feed/" />
<link rel="alternate" type="application/rss+xml" title="Avast Threat Labs &raquo; Comments Feed" href="https://decoded.avast.io/comments/feed/" />
		<!-- This site uses the Google Analytics by MonsterInsights plugin v8.7.0 - Using Analytics tracking - https://www.monsterinsights.com/ -->
							<script src="//www.googletagmanager.com/gtag/js?id=UA-143774004-1"  data-cfasync="false" data-wpfc-render="false" type="text/javascript" async></script>
			<script data-cfasync="false" data-wpfc-render="false" type="text/javascript">
				var mi_version = '8.7.0';
				var mi_track_user = true;
				var mi_no_track_reason = '';
				
								var disableStrs = [
															'ga-disable-UA-143774004-1',
									];

				/* Function to detect opted out users */
				function __gtagTrackerIsOptedOut() {
					for ( var index = 0; index < disableStrs.length; index++ ) {
						if ( document.cookie.indexOf( disableStrs[ index ] + '=true' ) > -1 ) {
							return true;
						}
					}

					return false;
				}

				/* Disable tracking if the opt-out cookie exists. */
				if ( __gtagTrackerIsOptedOut() ) {
					for ( var index = 0; index < disableStrs.length; index++ ) {
						window[ disableStrs[ index ] ] = true;
					}
				}

				/* Opt-out function */
				function __gtagTrackerOptout() {
					for ( var index = 0; index < disableStrs.length; index++ ) {
						document.cookie = disableStrs[ index ] + '=true; expires=Thu, 31 Dec 2099 23:59:59 UTC; path=/';
						window[ disableStrs[ index ] ] = true;
					}
				}

				if ( 'undefined' === typeof gaOptout ) {
					function gaOptout() {
						__gtagTrackerOptout();
					}
				}
								window.dataLayer = window.dataLayer || [];

				window.MonsterInsightsDualTracker = {
					helpers: {},
					trackers: {},
				};
				if ( mi_track_user ) {
					function __gtagDataLayer() {
						dataLayer.push( arguments );
					}

					function __gtagTracker( type, name, parameters ) {
						if (!parameters) {
							parameters = {};
						}

						if (parameters.send_to) {
							__gtagDataLayer.apply( null, arguments );
							return;
						}

						if ( type === 'event' ) {
							
															parameters.send_to = monsterinsights_frontend.ua;
								__gtagDataLayer( type, name, parameters );
													} else {
							__gtagDataLayer.apply( null, arguments );
						}
					}
					__gtagTracker( 'js', new Date() );
					__gtagTracker( 'set', {
						'developer_id.dZGIzZG' : true,
											} );
															__gtagTracker( 'config', 'UA-143774004-1', {"forceSSL":"true","link_attribution":"true"} );
										window.gtag = __gtagTracker;											(function () {
							/* https://developers.google.com/analytics/devguides/collection/analyticsjs/ */
							/* ga and __gaTracker compatibility shim. */
							var noopfn = function () {
								return null;
							};
							var newtracker = function () {
								return new Tracker();
							};
							var Tracker = function () {
								return null;
							};
							var p = Tracker.prototype;
							p.get = noopfn;
							p.set = noopfn;
							p.send = function (){
								var args = Array.prototype.slice.call(arguments);
								args.unshift( 'send' );
								__gaTracker.apply(null, args);
							};
							var __gaTracker = function () {
								var len = arguments.length;
								if ( len === 0 ) {
									return;
								}
								var f = arguments[len - 1];
								if ( typeof f !== 'object' || f === null || typeof f.hitCallback !== 'function' ) {
									if ( 'send' === arguments[0] ) {
										var hitConverted, hitObject = false, action;
										if ( 'event' === arguments[1] ) {
											if ( 'undefined' !== typeof arguments[3] ) {
												hitObject = {
													'eventAction': arguments[3],
													'eventCategory': arguments[2],
													'eventLabel': arguments[4],
													'value': arguments[5] ? arguments[5] : 1,
												}
											}
										}
										if ( 'pageview' === arguments[1] ) {
											if ( 'undefined' !== typeof arguments[2] ) {
												hitObject = {
													'eventAction': 'page_view',
													'page_path' : arguments[2],
												}
											}
										}
										if ( typeof arguments[2] === 'object' ) {
											hitObject = arguments[2];
										}
										if ( typeof arguments[5] === 'object' ) {
											Object.assign( hitObject, arguments[5] );
										}
										if ( 'undefined' !== typeof arguments[1].hitType ) {
											hitObject = arguments[1];
											if ( 'pageview' === hitObject.hitType ) {
												hitObject.eventAction = 'page_view';
											}
										}
										if ( hitObject ) {
											action = 'timing' === arguments[1].hitType ? 'timing_complete' : hitObject.eventAction;
											hitConverted = mapArgs( hitObject );
											__gtagTracker( 'event', action, hitConverted );
										}
									}
									return;
								}

								function mapArgs( args ) {
									var arg, hit = {};
									var gaMap = {
										'eventCategory': 'event_category',
										'eventAction': 'event_action',
										'eventLabel': 'event_label',
										'eventValue': 'event_value',
										'nonInteraction': 'non_interaction',
										'timingCategory': 'event_category',
										'timingVar': 'name',
										'timingValue': 'value',
										'timingLabel': 'event_label',
										'page' : 'page_path',
										'location' : 'page_location',
										'title' : 'page_title',
									};
									for ( arg in args ) {
																				if ( ! ( ! args.hasOwnProperty(arg) || ! gaMap.hasOwnProperty(arg) ) ) {
											hit[gaMap[arg]] = args[arg];
										} else {
											hit[arg] = args[arg];
										}
									}
									return hit;
								}

								try {
									f.hitCallback();
								} catch ( ex ) {
								}
							};
							__gaTracker.create = newtracker;
							__gaTracker.getByName = newtracker;
							__gaTracker.getAll = function () {
								return [];
							};
							__gaTracker.remove = noopfn;
							__gaTracker.loaded = true;
							window['__gaTracker'] = __gaTracker;
						})();
									} else {
										console.log( "" );
					( function () {
							function __gtagTracker() {
								return null;
							}
							window['__gtagTracker'] = __gtagTracker;
							window['gtag'] = __gtagTracker;
					} )();
									}
			</script>
				<!-- / Google Analytics by MonsterInsights -->
		<script type="text/javascript">
window._wpemojiSettings = {"baseUrl":"https:\/\/s.w.org\/images\/core\/emoji\/14.0.0\/72x72\/","ext":".png","svgUrl":"https:\/\/s.w.org\/images\/core\/emoji\/14.0.0\/svg\/","svgExt":".svg","source":{"concatemoji":"https:\/\/decoded.avast.io\/wp-includes\/js\/wp-emoji-release.min.js?ver=6.0.1"}};
/*! This file is auto-generated */
!function(e,a,t){var n,r,o,i=a.createElement("canvas"),p=i.getContext&&i.getContext("2d");function s(e,t){var a=String.fromCharCode,e=(p.clearRect(0,0,i.width,i.height),p.fillText(a.apply(this,e),0,0),i.toDataURL());return p.clearRect(0,0,i.width,i.height),p.fillText(a.apply(this,t),0,0),e===i.toDataURL()}function c(e){var t=a.createElement("script");t.src=e,t.defer=t.type="text/javascript",a.getElementsByTagName("head")[0].appendChild(t)}for(o=Array("flag","emoji"),t.supports={everything:!0,everythingExceptFlag:!0},r=0;r<o.length;r++)t.supports[o[r]]=function(e){if(!p||!p.fillText)return!1;switch(p.textBaseline="top",p.font="600 32px Arial",e){case"flag":return s([127987,65039,8205,9895,65039],[127987,65039,8203,9895,65039])?!1:!s([55356,56826,55356,56819],[55356,56826,8203,55356,56819])&&!s([55356,57332,56128,56423,56128,56418,56128,56421,56128,56430,56128,56423,56128,56447],[55356,57332,8203,56128,56423,8203,56128,56418,8203,56128,56421,8203,56128,56430,8203,56128,56423,8203,56128,56447]);case"emoji":return!s([129777,127995,8205,129778,127999],[129777,127995,8203,129778,127999])}return!1}(o[r]),t.supports.everything=t.supports.everything&&t.supports[o[r]],"flag"!==o[r]&&(t.supports.everythingExceptFlag=t.supports.everythingExceptFlag&&t.supports[o[r]]);t.supports.everythingExceptFlag=t.supports.everythingExceptFlag&&!t.supports.flag,t.DOMReady=!1,t.readyCallback=function(){t.DOMReady=!0},t.supports.everything||(n=function(){t.readyCallback()},a.addEventListener?(a.addEventListener("DOMContentLoaded",n,!1),e.addEventListener("load",n,!1)):(e.attachEvent("onload",n),a.attachEvent("onreadystatechange",function(){"complete"===a.readyState&&t.readyCallback()})),(e=t.source||{}).concatemoji?c(e.concatemoji):e.wpemoji&&e.twemoji&&(c(e.twemoji),c(e.wpemoji)))}(window,document,window._wpemojiSettings);
</script>
<style type="text/css">
img.wp-smiley,
img.emoji {
	display: inline !important;
	border: none !important;
	box-shadow: none !important;
	height: 1em !important;
	width: 1em !important;
	margin: 0 0.07em !important;
	vertical-align: -0.1em !important;
	background: none !important;
	padding: 0 !important;
}
</style>
	<link rel='stylesheet' id='wp-block-library-css'  href='https://decoded.avast.io/wp-includes/css/dist/block-library/style.min.css?ver=6.0.1' type='text/css' media='all' />
<style id='global-styles-inline-css' type='text/css'>
body{--wp--preset--color--black: #000000;--wp--preset--color--cyan-bluish-gray: #abb8c3;--wp--preset--color--white: #ffffff;--wp--preset--color--pale-pink: #f78da7;--wp--preset--color--vivid-red: #cf2e2e;--wp--preset--color--luminous-vivid-orange: #ff6900;--wp--preset--color--luminous-vivid-amber: #fcb900;--wp--preset--color--light-green-cyan: #7bdcb5;--wp--preset--color--vivid-green-cyan: #00d084;--wp--preset--color--pale-cyan-blue: #8ed1fc;--wp--preset--color--vivid-cyan-blue: #0693e3;--wp--preset--color--vivid-purple: #9b51e0;--wp--preset--color--johannes-acc: #ff7900;--wp--preset--color--johannes-meta: #989da2;--wp--preset--color--johannes-bg: #ffffff;--wp--preset--color--johannes-bg-alt-1: #2d364c;--wp--preset--color--johannes-bg-alt-2: #2d364c;--wp--preset--gradient--vivid-cyan-blue-to-vivid-purple: linear-gradient(135deg,rgba(6,147,227,1) 0%,rgb(155,81,224) 100%);--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan: linear-gradient(135deg,rgb(122,220,180) 0%,rgb(0,208,130) 100%);--wp--preset--gradient--luminous-vivid-amber-to-luminous-vivid-orange: linear-gradient(135deg,rgba(252,185,0,1) 0%,rgba(255,105,0,1) 100%);--wp--preset--gradient--luminous-vivid-orange-to-vivid-red: linear-gradient(135deg,rgba(255,105,0,1) 0%,rgb(207,46,46) 100%);--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray: linear-gradient(135deg,rgb(238,238,238) 0%,rgb(169,184,195) 100%);--wp--preset--gradient--cool-to-warm-spectrum: linear-gradient(135deg,rgb(74,234,220) 0%,rgb(151,120,209) 20%,rgb(207,42,186) 40%,rgb(238,44,130) 60%,rgb(251,105,98) 80%,rgb(254,248,76) 100%);--wp--preset--gradient--blush-light-purple: linear-gradient(135deg,rgb(255,206,236) 0%,rgb(152,150,240) 100%);--wp--preset--gradient--blush-bordeaux: linear-gradient(135deg,rgb(254,205,165) 0%,rgb(254,45,45) 50%,rgb(107,0,62) 100%);--wp--preset--gradient--luminous-dusk: linear-gradient(135deg,rgb(255,203,112) 0%,rgb(199,81,192) 50%,rgb(65,88,208) 100%);--wp--preset--gradient--pale-ocean: linear-gradient(135deg,rgb(255,245,203) 0%,rgb(182,227,212) 50%,rgb(51,167,181) 100%);--wp--preset--gradient--electric-grass: linear-gradient(135deg,rgb(202,248,128) 0%,rgb(113,206,126) 100%);--wp--preset--gradient--midnight: linear-gradient(135deg,rgb(2,3,129) 0%,rgb(40,116,252) 100%);--wp--preset--duotone--dark-grayscale: url('#wp-duotone-dark-grayscale');--wp--preset--duotone--grayscale: url('#wp-duotone-grayscale');--wp--preset--duotone--purple-yellow: url('#wp-duotone-purple-yellow');--wp--preset--duotone--blue-red: url('#wp-duotone-blue-red');--wp--preset--duotone--midnight: url('#wp-duotone-midnight');--wp--preset--duotone--magenta-yellow: url('#wp-duotone-magenta-yellow');--wp--preset--duotone--purple-green: url('#wp-duotone-purple-green');--wp--preset--duotone--blue-orange: url('#wp-duotone-blue-orange');--wp--preset--font-size--small: 12.8px;--wp--preset--font-size--medium: 20px;--wp--preset--font-size--large: 40px;--wp--preset--font-size--x-large: 42px;--wp--preset--font-size--normal: 16px;--wp--preset--font-size--huge: 52px;}.has-black-color{color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-color{color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-color{color: var(--wp--preset--color--white) !important;}.has-pale-pink-color{color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-color{color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-color{color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-color{color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-color{color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-color{color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-color{color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-color{color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-color{color: var(--wp--preset--color--vivid-purple) !important;}.has-black-background-color{background-color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-background-color{background-color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-background-color{background-color: var(--wp--preset--color--white) !important;}.has-pale-pink-background-color{background-color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-background-color{background-color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-background-color{background-color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-background-color{background-color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-background-color{background-color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-background-color{background-color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-background-color{background-color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-background-color{background-color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-background-color{background-color: var(--wp--preset--color--vivid-purple) !important;}.has-black-border-color{border-color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-border-color{border-color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-border-color{border-color: var(--wp--preset--color--white) !important;}.has-pale-pink-border-color{border-color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-border-color{border-color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-border-color{border-color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-border-color{border-color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-border-color{border-color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-border-color{border-color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-border-color{border-color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-border-color{border-color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-border-color{border-color: var(--wp--preset--color--vivid-purple) !important;}.has-vivid-cyan-blue-to-vivid-purple-gradient-background{background: var(--wp--preset--gradient--vivid-cyan-blue-to-vivid-purple) !important;}.has-light-green-cyan-to-vivid-green-cyan-gradient-background{background: var(--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan) !important;}.has-luminous-vivid-amber-to-luminous-vivid-orange-gradient-background{background: var(--wp--preset--gradient--luminous-vivid-amber-to-luminous-vivid-orange) !important;}.has-luminous-vivid-orange-to-vivid-red-gradient-background{background: var(--wp--preset--gradient--luminous-vivid-orange-to-vivid-red) !important;}.has-very-light-gray-to-cyan-bluish-gray-gradient-background{background: var(--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray) !important;}.has-cool-to-warm-spectrum-gradient-background{background: var(--wp--preset--gradient--cool-to-warm-spectrum) !important;}.has-blush-light-purple-gradient-background{background: var(--wp--preset--gradient--blush-light-purple) !important;}.has-blush-bordeaux-gradient-background{background: var(--wp--preset--gradient--blush-bordeaux) !important;}.has-luminous-dusk-gradient-background{background: var(--wp--preset--gradient--luminous-dusk) !important;}.has-pale-ocean-gradient-background{background: var(--wp--preset--gradient--pale-ocean) !important;}.has-electric-grass-gradient-background{background: var(--wp--preset--gradient--electric-grass) !important;}.has-midnight-gradient-background{background: var(--wp--preset--gradient--midnight) !important;}.has-small-font-size{font-size: var(--wp--preset--font-size--small) !important;}.has-medium-font-size{font-size: var(--wp--preset--font-size--medium) !important;}.has-large-font-size{font-size: var(--wp--preset--font-size--large) !important;}.has-x-large-font-size{font-size: var(--wp--preset--font-size--x-large) !important;}
</style>
<link rel='stylesheet' id='johannes-fonts-css'  href='https://fonts.googleapis.com/css?family=Muli%3Aregular%2C900%2C700&#038;ver=1.1.3' type='text/css' media='all' />
<link rel='stylesheet' id='johannes-main-css'  href='https://decoded.avast.io/wp-content/themes/johannes/assets/css/min.css?ver=1.1.3' type='text/css' media='all' />
<style id='johannes-main-inline-css' type='text/css'>
body{font-family: 'Muli', Arial, sans-serif;font-weight: 400;font-style: normal;color: #ffffff;background: #ffffff;}.johannes-header{font-family: 'Muli', Arial, sans-serif;font-weight: 700;font-style: normal;}h1,h2,h3,h4,h5,h6,.h1,.h2,.h3,.h4,.h5,.h6,.h0,.display-1,.wp-block-cover .wp-block-cover-image-text, .wp-block-cover .wp-block-cover-text, .wp-block-cover h2, .wp-block-cover-image .wp-block-cover-image-text, .wp-block-cover-image .wp-block-cover-text, .wp-block-cover-image h2,.entry-category a,.single-md-content .entry-summary,p.has-drop-cap:not(:focus)::first-letter,.johannes_posts_widget .entry-header > a {font-family: 'Muli', Arial, sans-serif;font-weight: 900;font-style: normal;}b,strong,.entry-tags a,.entry-category a,.entry-meta a,.wp-block-tag-cloud a{font-weight: 900; }.entry-content strong{font-weight: bold;}.header-top{background: #424851;color: #989da2;}.header-top nav > ul > li > a,.header-top .johannes-menu-social a{color: #989da2;}.header-top nav > ul > li:hover > a,.header-top nav > ul > li.current-menu-item > a,.header-top .johannes-menu-social li:hover a{color: #ffffff;}.header-middle,.header-mobile{color: #ffffff;background: #2d364c;}.header-middle > .container {height: 130px;}.header-middle a,.johannes-mega-menu .sub-menu li:hover a,.header-mobile a{color: #ffffff;}.header-middle li:hover > a,.header-middle .current-menu-item > a,.header-middle .johannes-mega-menu .sub-menu li a:hover,.header-middle .johannes-site-branding .site-title a:hover,.header-mobile .site-title a,.header-mobile a:hover{color: #ff8000;}.header-middle .johannes-site-branding .site-title a{color: #ffffff;}.header-middle .sub-menu{background: #2d364c;}.johannes-cover-indent .header-middle .johannes-menu>li>a:hover,.johannes-cover-indent .header-middle .johannes-menu-action a:hover{color: #ff8000;}.header-sticky-main{color: #ffffff;background: #2d364c;}.header-sticky-main a,.header-sticky-main .johannes-mega-menu .sub-menu li:hover a,.header-sticky-main .johannes-mega-menu .has-arrows .owl-nav > div{color: #ffffff;}.header-sticky-main li:hover > a,.header-sticky-main .current-menu-item > a,.header-sticky-main .johannes-mega-menu .sub-menu li a:hover,.header-sticky-main .johannes-site-branding .site-title a:hover{color: #ff8000;}.header-sticky-main .johannes-site-branding .site-title a{color: #ffffff;}.header-sticky-main .sub-menu{background: #2d364c;}.header-sticky-contextual{color: #2d364c;background: #ffffff;}.header-sticky-contextual,.header-sticky-contextual a{font-family: 'Muli', Arial, sans-serif;font-weight: 400;font-style: normal;}.header-sticky-contextual a{color: #2d364c;}.header-sticky-contextual .meta-comments:after{background: #2d364c;}.header-sticky-contextual .meks_ess a:hover{color: #ff8000;background: transparent;}.header-bottom{color: #424851;background: #ffffff;border-top: 1px solid rgba(66,72,81,0.1);border-bottom: 1px solid rgba(66,72,81,0.1);}.johannes-header-bottom-boxed .header-bottom{background: transparent;border: none;}.johannes-header-bottom-boxed .header-bottom-slots{background: #ffffff;border-top: 1px solid rgba(66,72,81,0.1);border-bottom: 1px solid rgba(66,72,81,0.1);}.header-bottom-slots{height: 70px;}.header-bottom a,.johannes-mega-menu .sub-menu li:hover a,.johannes-mega-menu .has-arrows .owl-nav > div{color: #424851;}.header-bottom li:hover > a,.header-bottom .current-menu-item > a,.header-bottom .johannes-mega-menu .sub-menu li a:hover,.header-bottom .johannes-site-branding .site-title a:hover{color: #f13b3b;}.header-bottom .johannes-site-branding .site-title a{color: #424851;}.header-bottom .sub-menu{background: #ffffff;}.johannes-menu-action .search-form input[type=text]{background: #ffffff;}.johannes-header-multicolor .header-middle .slot-l,.johannes-header-multicolor .header-sticky .header-sticky-main .container > .slot-l,.johannes-header-multicolor .header-mobile .slot-l,.johannes-header-multicolor .slot-l .johannes-site-branding:after{background: #424851;}.johannes-cover-indent .johannes-cover{min-height: 450px;}.page.johannes-cover-indent .johannes-cover{min-height: 250px;}.single.johannes-cover-indent .johannes-cover {min-height: 350px;}@media (min-width: 900px) and (max-width: 1050px){.header-middle > .container {height: 100px;}.header-bottom > .container,.header-bottom-slots {height: 50px;}}.johannes-modal{background: #ffffff;}.johannes-modal .johannes-menu-social li a:hover,.meks_ess a:hover{background: #ffffff;}.johannes-modal .johannes-menu-social li:hover a{color: #ffffff;}.johannes-modal .johannes-modal-close{color: #ffffff;}.johannes-modal .johannes-modal-close:hover{color: #ff7900;}.meks_ess a:hover{color: #ffffff;}h1,h2,h3,h4,h5,h6,.h1,.h2,.h3,.h4,.h5,.h6,.h0,.display-1,.has-large-font-size {color: #424851;}.entry-title a,a{color: #ffffff;}.johannes-post .entry-title a{color: #424851;}.entry-content a:not([class*=button]),.comment-content a:not([class*=button]){color: #ff7900;}.entry-content a:not([class*=button]):hover,.comment-content a:not([class*=button]):hover{color: #ffffff;}.entry-title a:hover,a:hover,.entry-meta a,.written-by a,.johannes-overlay .entry-meta a:hover,body .johannes-cover .section-bg+.container .johannes-breadcrumbs a:hover,.johannes-cover .section-bg+.container .section-head a:not(.johannes-button):not(.cat-item):hover,.entry-content .wp-block-tag-cloud a:hover{color: #ff7900;}.entry-meta,.entry-content .entry-tags a,.entry-content .fn a,.comment-metadata,.entry-content .comment-metadata a,.written-by > span,.johannes-breadcrumbs{color: #989da2;}.entry-meta a:hover,.written-by a:hover,.entry-content .wp-block-tag-cloud a{color: #ffffff;}.entry-meta .meta-item + .meta-item:before{background:#ffffff;}.entry-format i{color: #ffffff;background:#ffffff;}.category-pill .entry-category a{background-color: #ff7900;color: #fff;}.category-pill .entry-category a:hover{background-color: #ffffff;color: #ffffff;}.johannes-overlay.category-pill .entry-category a:hover,.johannes-cover.category-pill .entry-category a:hover {background-color: #ffffff;color: #ffffff;}.white-bg-alt-2 .johannes-bg-alt-2 .category-pill .entry-category a:hover,.white-bg-alt-2 .johannes-bg-alt-2 .entry-format i{background-color: #ffffff;color: #ffffff;}.media-shadow:after{background: rgba(255,255,255,0.1);}.entry-content .entry-tags a:hover,.entry-content .fn a:hover{color: #ff7900;}.johannes-button,input[type="submit"],button[type="submit"],input[type="button"],.wp-block-button .wp-block-button__link,.comment-reply-link,#cancel-comment-reply-link,.johannes-pagination a,.johannes-pagination,.meks-instagram-follow-link .meks-widget-cta,.mks_autor_link_wrap a,.mks_read_more a,.category-pill .entry-category a{font-family: 'Muli', Arial, sans-serif;font-weight: 900;font-style: normal;}.johannes-bg-alt-1,.has-arrows .owl-nav,.has-arrows .owl-stage-outer:after,.media-shadow:after {background-color: #2d364c}.johannes-bg-alt-2 {background-color: #2d364c}.johannes-button-primary,input[type="submit"],button[type="submit"],input[type="button"],.johannes-pagination a{box-shadow: 0 10px 15px 0 rgba(255,121,0,0.2);background: #ff7900;color: #fff;}.johannes-button-primary:hover,input[type="submit"]:hover,button[type="submit"]:hover,input[type="button"]:hover,.johannes-pagination a:hover{box-shadow: 0 0 0 0 rgba(255,121,0,0);color: #fff;}.johannes-button.disabled{background: #2d364c;color: #ffffff; box-shadow: none;}.johannes-button-secondary,.comment-reply-link,#cancel-comment-reply-link,.meks-instagram-follow-link .meks-widget-cta,.mks_autor_link_wrap a,.mks_read_more a{box-shadow: inset 0 0px 0px 1px #ffffff;color: #ffffff;opacity: .5;}.johannes-button-secondary:hover,.comment-reply-link:hover,#cancel-comment-reply-link:hover,.meks-instagram-follow-link .meks-widget-cta:hover,.mks_autor_link_wrap a:hover,.mks_read_more a:hover{box-shadow: inset 0 0px 0px 1px #ff7900; opacity: 1;color: #ff7900;}.johannes-breadcrumbs a,.johannes-action-close:hover,.single-md-content .entry-summary span,form label .required{color: #ff7900;}.johannes-breadcrumbs a:hover{color: #ffffff;}.section-title:after{background-color: #ff7900;}hr{background: rgba(255,255,255,0.2);}.wp-block-preformatted,.wp-block-verse,pre,code, kbd, pre, samp, address{background:#2d364c;}.entry-content ul li:before,.wp-block-quote:before,.comment-content ul li:before{color: #ffffff;}.wp-block-quote.is-large:before{color: #ff7900;}.wp-block-table.is-style-stripes tr:nth-child(odd){background:#2d364c;}.wp-block-table.is-style-regular tbody tr,.entry-content table tr,.comment-content table tr{border-bottom: 1px solid rgba(255,255,255,0.1);}.wp-block-pullquote:not(.is-style-solid-color){color: #ffffff;border-color: #ff7900;}.wp-block-pullquote{background: #ff7900;color: #ffffff;}.johannes-sidebar-none .wp-block-pullquote.alignfull.is-style-solid-color{box-shadow: -526px 0 0 #ff7900, -1052px 0 0 #ff7900,526px 0 0 #ff7900, 1052px 0 0 #ff7900;}.wp-block-button .wp-block-button__link{background: #ff7900;color: #fff;box-shadow: 0 10px 15px 0 rgba(255,121,0,0.2);}.wp-block-button .wp-block-button__link:hover{box-shadow: 0 0 0 0 rgba(255,121,0,0);}.is-style-outline .wp-block-button__link {background: 0 0;color:#ff7900;border: 2px solid currentcolor;}.entry-content .is-style-solid-color a:not([class*=button]){color:#ffffff;}.entry-content .is-style-solid-color a:not([class*=button]):hover{color:#ffffff;}input[type=color], input[type=date], input[type=datetime-local], input[type=datetime], input[type=email], input[type=month], input[type=number], input[type=password], input[type=range], input[type=search], input[type=tel], input[type=text], input[type=time], input[type=url], input[type=week], select, textarea{border: 1px solid rgba(255,255,255,0.3);}body .johannes-wrapper .meks_ess{border-color: rgba(255,255,255,0.1); }.widget_eu_cookie_law_widget #eu-cookie-law input, .widget_eu_cookie_law_widget #eu-cookie-law input:focus, .widget_eu_cookie_law_widget #eu-cookie-law input:hover{background: #ff7900;color: #fff;}.double-bounce1, .double-bounce2{background-color: #ff7900;}.johannes-pagination .page-numbers.current,.paginated-post-wrapper span{background: #2d364c;color: #ffffff;}.widget li{color: rgba(255,255,255,0.8);}.widget_calendar #today a{color: #fff;}.widget_calendar #today a{background: #ff7900;}.tagcloud a{border-color: rgba(255,255,255,0.5);color: rgba(255,255,255,0.8);}.tagcloud a:hover{color: #ff7900;border-color: #ff7900;}.rssSummary,.widget p{color: #ffffff;}.johannes-bg-alt-1 .count,.johannes-bg-alt-1 li a,.johannes-bg-alt-1 .johannes-accordion-nav{background-color: #2d364c;}.johannes-bg-alt-2 .count,.johannes-bg-alt-2 li a,.johannes-bg-alt-2 .johannes-accordion-nav,.johannes-bg-alt-2 .cat-item .count, .johannes-bg-alt-2 .rss-date, .widget .johannes-bg-alt-2 .post-date, .widget .johannes-bg-alt-2 cite{background-color: #2d364c;color: #FFF;}.white-bg-alt-1 .widget .johannes-bg-alt-1 select option,.white-bg-alt-2 .widget .johannes-bg-alt-2 select option{background: #2d364c;}.widget .johannes-bg-alt-2 li a:hover{color: #ff7900;}.widget_categories .johannes-bg-alt-1 ul li .dots:before,.widget_archive .johannes-bg-alt-1 ul li .dots:before{color: #ffffff;}.widget_categories .johannes-bg-alt-2 ul li .dots:before,.widget_archive .johannes-bg-alt-2 ul li .dots:before{color: #FFF;}.search-alt input[type=search], .search-alt input[type=text], .widget_search input[type=search], .widget_search input[type=text],.mc-field-group input[type=email], .mc-field-group input[type=text]{border-bottom: 1px solid rgba(255,255,255,0.2);}.johannes-sidebar-hidden{background: #ffffff;}.johannes-footer{background: #ffffff;color: #424851;}.johannes-footer a,.johannes-footer .widget-title{color: #424851;}.johannes-footer a:hover{color: #f13b3b;}.johannes-footer-widgets + .johannes-copyright{border-top: 1px solid rgba(66,72,81,0.1);}.johannes-footer .widget .count,.johannes-footer .widget_categories li a,.johannes-footer .widget_archive li a,.johannes-footer .widget .johannes-accordion-nav{background-color: #ffffff;}.footer-divider{border-top: 1px solid rgba(66,72,81,0.1);}.johannes-footer .rssSummary,.johannes-footer .widget p{color: #424851;}.johannes-empty-message{background: #2d364c;}.error404 .h0{color: #ff7900;}.johannes-goto-top,.johannes-goto-top:hover{background: #ffffff;color: #ffffff;}.johannes-ellipsis div{background: #ff7900;}.white-bg-alt-2 .johannes-bg-alt-2 .section-subnav .johannes-button-secondary:hover{color: #ff7900;}.section-subnav a{color: #ffffff;}.johannes-cover .section-subnav a{color: #fff;}.section-subnav a:hover{color: #ff7900;}@media(min-width: 600px){.size-johannes-fa-a{ height: 450px !important;}.size-johannes-single-3{ height: 450px !important;}.size-johannes-single-4{ height: 540px !important;}.size-johannes-page-3{ height: 360px !important;}.size-johannes-page-4{ height: 405px !important;}.size-johannes-wa-3{ height: 405px !important;}.size-johannes-wa-4{ height: 567px !important;}.size-johannes-archive-2{ height: 405px !important;}.size-johannes-archive-3{ height: 405px !important;}}@media(min-width: 900px){.size-johannes-a{ height: 484px !important;}.size-johannes-b{ height: 491px !important;}.size-johannes-c{ height: 304px !important;}.size-johannes-d{ height: 194px !important;}.size-johannes-e{ height: 304px !important;}.size-johannes-f{ height: 214px !important;}.size-johannes-fa-a{ height: 500px !important;}.size-johannes-fa-b{ height: 635px !important;}.size-johannes-fa-c{ height: 540px !important;}.size-johannes-fa-d{ height: 344px !important;}.size-johannes-fa-e{ height: 442px !important;}.size-johannes-single-1{ height: 484px !important;}.size-johannes-single-2{ height: 484px !important;}.size-johannes-single-3{ height: 500px !important;}.size-johannes-single-4{ height: 600px !important;}.size-johannes-single-5{ height: 442px !important;}.size-johannes-page-1{ height: 484px !important;}.size-johannes-page-2{ height: 484px !important;}.size-johannes-page-3{ height: 400px !important;}.size-johannes-page-4{ height: 450px !important;}.size-johannes-wa-1{ height: 442px !important;}.size-johannes-wa-2{ height: 304px !important;}.size-johannes-wa-3{ height: 450px !important;}.size-johannes-wa-4{ height: 630px !important;}.size-johannes-archive-2{ height: 450px !important;}.size-johannes-archive-3{ height: 450px !important;}}@media(min-width: 900px){.has-small-font-size{ font-size: 1.3rem;}.has-normal-font-size{ font-size: 1.6rem;}.has-large-font-size{ font-size: 4.0rem;}.has-huge-font-size{ font-size: 5.2rem;}}.has-johannes-acc-background-color{ background-color: #ff7900;}.has-johannes-acc-color{ color: #ff7900;}.has-johannes-meta-background-color{ background-color: #989da2;}.has-johannes-meta-color{ color: #989da2;}.has-johannes-bg-background-color{ background-color: #ffffff;}.has-johannes-bg-color{ color: #ffffff;}.has-johannes-bg-alt-1-background-color{ background-color: #2d364c;}.has-johannes-bg-alt-1-color{ color: #2d364c;}.has-johannes-bg-alt-2-background-color{ background-color: #2d364c;}.has-johannes-bg-alt-2-color{ color: #2d364c;}body{font-size:1.6rem;}.johannes-header{font-size:1.4rem;}.display-1{font-size:3rem;}h1, .h1{font-size:2.6rem;}h2, .h2{font-size:2.4rem;}h3, .h3{font-size:2.2rem;}h4, .h4,.wp-block-cover .wp-block-cover-image-text,.wp-block-cover .wp-block-cover-text,.wp-block-cover h2,.wp-block-cover-image .wp-block-cover-image-text,.wp-block-cover-image .wp-block-cover-text,.wp-block-cover-image h2{font-size:2rem;}h5, .h5{font-size:1.8rem;}h6, .h6{font-size:1.6rem;}.entry-meta{font-size:1.2rem;}.section-title {font-size:2.4rem;}.widget-title{font-size:2.0rem;}.mks_author_widget h3{font-size:2.2rem;}.widget,.johannes-breadcrumbs{font-size:1.4rem;}.wp-block-quote.is-large p, .wp-block-quote.is-style-large p{font-size:2.2rem;}.johannes-site-branding .site-title.logo-img-none{font-size: 2.6rem;}.johannes-cover-indent .johannes-cover{margin-top: -70px;}.johannes-menu-social li a:after, .menu-social-container li a:after{font-size:1.6rem;}.johannes-modal .johannes-menu-social li>a:after,.johannes-menu-action .jf{font-size:2.4rem;}.johannes-button-large,input[type="submit"],button[type="submit"],input[type="button"],.johannes-pagination a,.page-numbers.current,.johannes-button-medium,.meks-instagram-follow-link .meks-widget-cta,.mks_autor_link_wrap a,.mks_read_more a,.wp-block-button .wp-block-button__link{font-size:1.3rem;}.johannes-button-small,.comment-reply-link,#cancel-comment-reply-link{font-size:1.2rem;}.category-pill .entry-category a,.category-pill-small .entry-category a{font-size:1.1rem;}@media (min-width: 600px){ .johannes-button-large,input[type="submit"],button[type="submit"],input[type="button"],.johannes-pagination a,.page-numbers.current,.wp-block-button .wp-block-button__link{font-size:1.4rem;}.category-pill .entry-category a{font-size:1.4rem;}.category-pill-small .entry-category a{font-size:1.1rem;}}@media (max-width: 374px){.johannes-overlay .h1,.johannes-overlay .h2,.johannes-overlay .h3,.johannes-overlay .h4,.johannes-overlay .h5{font-size: 2.2rem;}}@media (max-width: 600px){ .johannes-layout-fa-d .h5{font-size: 2.4rem;}.johannes-layout-f.category-pill .entry-category a{background-color: transparent;color: #ff7900;}.johannes-layout-c .h3,.johannes-layout-d .h5{font-size: 2.4rem;}.johannes-layout-f .h3{font-size: 1.8rem;}}@media (min-width: 600px) and (max-width: 1050px){ .johannes-layout-fa-c .h2{font-size:3.6rem;}.johannes-layout-fa-d .h5{font-size:2.4rem;}.johannes-layout-fa-e .display-1,.section-head-alt .display-1{font-size:5.2rem;}}@media (max-width: 1050px){ body.single-post .single-md-content{max-width: 766px;width: 100%;}body.page .single-md-content.col-lg-6,body.page .single-md-content.col-lg-6{flex: 0 0 100%}body.page .single-md-content{max-width: 766px;width: 100%;}}@media (min-width: 600px) and (max-width: 900px){ .display-1{font-size:4.6rem;}h1, .h1{font-size:4rem;}h2, .h2,.johannes-layout-fa-e .display-1,.section-head-alt .display-1{font-size:3.2rem;}h3, .h3,.johannes-layout-fa-c .h2,.johannes-layout-fa-d .h5,.johannes-layout-d .h5,.johannes-layout-e .h2{font-size:2.8rem;}h4, .h4,.wp-block-cover .wp-block-cover-image-text,.wp-block-cover .wp-block-cover-text,.wp-block-cover h2,.wp-block-cover-image .wp-block-cover-image-text,.wp-block-cover-image .wp-block-cover-text,.wp-block-cover-image h2{font-size:2.4rem;}h5, .h5{font-size:2rem;}h6, .h6{font-size:1.8rem;}.section-title {font-size:3.2rem;}.johannes-section.wa-layout .display-1{font-size: 3rem;}.johannes-layout-f .h3{font-size: 3.2rem}.johannes-site-branding .site-title.logo-img-none{font-size: 3rem;}}@media (min-width: 900px){ body{font-size:1.6rem;}.johannes-header{font-size:1.4rem;}.display-1{font-size:5.2rem;}h1, .h1 {font-size:5.2rem;}h2, .h2 {font-size:4.0rem;}h3, .h3 {font-size:3.6rem;}h4, .h4,.wp-block-cover .wp-block-cover-image-text,.wp-block-cover .wp-block-cover-text,.wp-block-cover h2,.wp-block-cover-image .wp-block-cover-image-text,.wp-block-cover-image .wp-block-cover-text,.wp-block-cover-image h2 {font-size:3.2rem;}h5, .h5 {font-size:2.8rem;}h6, .h6 {font-size:2.4rem;}.widget-title{font-size:2.0rem;}.section-title{font-size:4.0rem;}.wp-block-quote.is-large p, .wp-block-quote.is-style-large p{font-size:2.6rem;}.johannes-section-instagram .h2{font-size: 3rem;}.johannes-site-branding .site-title.logo-img-none{font-size: 4rem;}.entry-meta{font-size:1.4rem;}.johannes-cover-indent .johannes-cover {margin-top: -130px;}.johannes-cover-indent .johannes-cover .section-head{top: 32.5px;}}.section-description .search-alt input[type=text],.search-alt input[type=text]{color: #ffffff;}::-webkit-input-placeholder {color: rgba(255,255,255,0.5);}::-moz-placeholder {color: rgba(255,255,255,0.5);}:-ms-input-placeholder {color: rgba(255,255,255,0.5);}:-moz-placeholder{color: rgba(255,255,255,0.5);}.section-description .search-alt input[type=text]::-webkit-input-placeholder {color: #ffffff;}.section-description .search-alt input[type=text]::-moz-placeholder {color: #ffffff;}.section-description .search-alt input[type=text]:-ms-input-placeholder {color: #ffffff;}.section-description .search-alt input[type=text]:-moz-placeholder{color: #ffffff;}.section-description .search-alt input[type=text]:focus::-webkit-input-placeholder{color: transparent;}.section-description .search-alt input[type=text]:focus::-moz-placeholder {color: transparent;}.section-description .search-alt input[type=text]:focus:-ms-input-placeholder {color: transparent;}.section-description .search-alt input[type=text]:focus:-moz-placeholder{color: transparent;}
</style>
<link rel='stylesheet' id='meks_ess-main-css'  href='https://decoded.avast.io/wp-content/plugins/meks-easy-social-share/assets/css/main.css?ver=1.2.7' type='text/css' media='all' />
<script type="text/javascript">
            window._nslDOMReady = function (callback) {
                if ( document.readyState === "complete" || document.readyState === "interactive" ) {
                    callback();
                } else {
                    document.addEventListener( "DOMContentLoaded", callback );
                }
            };
            </script><script type='text/javascript' src='https://decoded.avast.io/wp-content/plugins/google-analytics-for-wordpress/assets/js/frontend-gtag.min.js?ver=8.7.0' id='monsterinsights-frontend-script-js'></script>
<script data-cfasync="false" data-wpfc-render="false" type="text/javascript" id='monsterinsights-frontend-script-js-extra'>/* <![CDATA[ */
var monsterinsights_frontend = {"js_events_tracking":"true","download_extensions":"doc,pdf,ppt,zip,xls,docx,pptx,xlsx","inbound_paths":"[{\"path\":\"\\\/go\\\/\",\"label\":\"affiliate\"},{\"path\":\"\\\/recommend\\\/\",\"label\":\"affiliate\"}]","home_url":"https:\/\/decoded.avast.io","hash_tracking":"false","ua":"UA-143774004-1","v4_id":""};/* ]]> */
</script>
<script type='text/javascript' src='https://decoded.avast.io/wp-includes/js/jquery/jquery.min.js?ver=3.6.0' id='jquery-core-js'></script>
<script type='text/javascript' src='https://decoded.avast.io/wp-includes/js/jquery/jquery-migrate.min.js?ver=3.3.2' id='jquery-migrate-js'></script>
<link rel="https://api.w.org/" href="https://decoded.avast.io/wp-json/" /><link rel="alternate" type="application/json" href="https://decoded.avast.io/wp-json/wp/v2/posts/5922" /><link rel="EditURI" type="application/rsd+xml" title="RSD" href="https://decoded.avast.io/xmlrpc.php?rsd" />
<link rel="wlwmanifest" type="application/wlwmanifest+xml" href="https://decoded.avast.io/wp-includes/wlwmanifest.xml" /> 
<meta name="generator" content="WordPress 6.0.1" />
<link rel='shortlink' href='https://decoded.avast.io/?p=5922' />
<link rel="alternate" type="application/json+oembed" href="https://decoded.avast.io/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fdecoded.avast.io%2Fdavidalvarez%2Flinux-threat-hunting-syslogk-a-kernel-rootkit-found-under-development-in-the-wild%2F" />
<link rel="alternate" type="text/xml+oembed" href="https://decoded.avast.io/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fdecoded.avast.io%2Fdavidalvarez%2Flinux-threat-hunting-syslogk-a-kernel-rootkit-found-under-development-in-the-wild%2F&#038;format=xml" />
<link rel="icon" href="https://decoded.avast.io/wp-content/uploads/sites/2/2019/07/cropped-Asset-25ldpi-32x32.png" sizes="32x32" />
<link rel="icon" href="https://decoded.avast.io/wp-content/uploads/sites/2/2019/07/cropped-Asset-25ldpi-192x192.png" sizes="192x192" />
<link rel="apple-touch-icon" href="https://decoded.avast.io/wp-content/uploads/sites/2/2019/07/cropped-Asset-25ldpi-180x180.png" />
<meta name="msapplication-TileImage" content="https://decoded.avast.io/wp-content/uploads/sites/2/2019/07/cropped-Asset-25ldpi-270x270.png" />
<style type="text/css">div.nsl-container[data-align="left"] {
    text-align: left;
}

div.nsl-container[data-align="center"] {
    text-align: center;
}

div.nsl-container[data-align="right"] {
    text-align: right;
}


div.nsl-container .nsl-container-buttons a {
    text-decoration: none !important;
    box-shadow: none !important;
    border: 0;
}

div.nsl-container .nsl-container-buttons {
    display: flex;
    padding: 5px 0;
}

div.nsl-container.nsl-container-block .nsl-container-buttons {
    display: inline-grid;
    grid-template-columns: minmax(145px, auto);
}

div.nsl-container-block-fullwidth .nsl-container-buttons {
    flex-flow: column;
    align-items: center;
}

div.nsl-container-block-fullwidth .nsl-container-buttons a,
div.nsl-container-block .nsl-container-buttons a {
    flex: 1 1 auto;
    display: block;
    margin: 5px 0;
    width: 100%;
}

div.nsl-container-inline {
    margin: -5px;
    text-align: left;
}

div.nsl-container-inline .nsl-container-buttons {
    justify-content: center;
    flex-wrap: wrap;
}

div.nsl-container-inline .nsl-container-buttons a {
    margin: 5px;
    display: inline-block;
}

div.nsl-container-grid .nsl-container-buttons {
    flex-flow: row;
    align-items: center;
    flex-wrap: wrap;
}

div.nsl-container-grid .nsl-container-buttons a {
    flex: 1 1 auto;
    display: block;
    margin: 5px;
    max-width: 280px;
    width: 100%;
}

@media only screen and (min-width: 650px) {
    div.nsl-container-grid .nsl-container-buttons a {
        width: auto;
    }
}

div.nsl-container .nsl-button {
    cursor: pointer;
    vertical-align: top;
    border-radius: 4px;
}

div.nsl-container .nsl-button-default {
    color: #fff;
    display: flex;
}

div.nsl-container .nsl-button-icon {
    display: inline-block;
}

div.nsl-container .nsl-button-svg-container {
    flex: 0 0 auto;
    padding: 8px;
    display: flex;
    align-items: center;
}

div.nsl-container svg {
    height: 24px;
    width: 24px;
    vertical-align: top;
}

div.nsl-container .nsl-button-default div.nsl-button-label-container {
    margin: 0 24px 0 12px;
    padding: 10px 0;
    font-family: Helvetica, Arial, sans-serif;
    font-size: 16px;
    line-height: 20px;
    letter-spacing: .25px;
    overflow: hidden;
    text-align: center;
    text-overflow: clip;
    white-space: nowrap;
    flex: 1 1 auto;
    -webkit-font-smoothing: antialiased;
    -moz-osx-font-smoothing: grayscale;
    text-transform: none;
    display: inline-block;
}

div.nsl-container .nsl-button-google[data-skin="dark"] .nsl-button-svg-container {
    margin: 1px;
    padding: 7px;
    border-radius: 3px;
    background: #fff;
}

div.nsl-container .nsl-button-google[data-skin="light"] {
    border-radius: 1px;
    box-shadow: 0 1px 5px 0 rgba(0, 0, 0, .25);
    color: RGBA(0, 0, 0, 0.54);
}

div.nsl-container .nsl-button-apple .nsl-button-svg-container {
    padding: 0 6px;
}

div.nsl-container .nsl-button-apple .nsl-button-svg-container svg {
    height: 40px;
    width: auto;
}

div.nsl-container .nsl-button-apple[data-skin="light"] {
    color: #000;
    box-shadow: 0 0 0 1px #000;
}

div.nsl-container .nsl-button-facebook[data-skin="white"] {
    color: #000;
    box-shadow: inset 0 0 0 1px #000;
}

div.nsl-container .nsl-button-facebook[data-skin="light"] {
    color: #1877F2;
    box-shadow: inset 0 0 0 1px #1877F2;
}

div.nsl-container .nsl-button-apple div.nsl-button-label-container {
    font-size: 17px;
    font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Helvetica, Arial, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol";
}

div.nsl-container .nsl-button-slack div.nsl-button-label-container {
    font-size: 17px;
    font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Helvetica, Arial, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol";
}

div.nsl-container .nsl-button-slack[data-skin="light"] {
    color: #000000;
    box-shadow: inset 0 0 0 1px #DDDDDD;
}

.nsl-clear {
    clear: both;
}

.nsl-container {
    clear: both;
}

/*Button align start*/

div.nsl-container-inline[data-align="left"] .nsl-container-buttons {
    justify-content: flex-start;
}

div.nsl-container-inline[data-align="center"] .nsl-container-buttons {
    justify-content: center;
}

div.nsl-container-inline[data-align="right"] .nsl-container-buttons {
    justify-content: flex-end;
}


div.nsl-container-grid[data-align="left"] .nsl-container-buttons {
    justify-content: flex-start;
}

div.nsl-container-grid[data-align="center"] .nsl-container-buttons {
    justify-content: center;
}

div.nsl-container-grid[data-align="right"] .nsl-container-buttons {
    justify-content: flex-end;
}

div.nsl-container-grid[data-align="space-around"] .nsl-container-buttons {
    justify-content: space-around;
}

div.nsl-container-grid[data-align="space-between"] .nsl-container-buttons {
    justify-content: space-between;
}

/* Button align end*/

/* Redirect */

#nsl-redirect-overlay {
    display: flex;
    flex-direction: column;
    justify-content: center;
    align-items: center;
    position: fixed;
    z-index: 1000000;
    left: 0;
    top: 0;
    width: 100%;
    height: 100%;
    backdrop-filter: blur(1px);
    background-color: RGBA(0, 0, 0, .32);;
}

#nsl-redirect-overlay-container {
    display: flex;
    flex-direction: column;
    justify-content: center;
    align-items: center;
    background-color: white;
    padding: 30px;
    border-radius: 10px;
}

#nsl-redirect-overlay-spinner {
    content: '';
    display: block;
    margin: 20px;
    border: 9px solid RGBA(0, 0, 0, .6);
    border-top: 9px solid #fff;
    border-radius: 50%;
    box-shadow: inset 0 0 0 1px RGBA(0, 0, 0, .6), 0 0 0 1px RGBA(0, 0, 0, .6);
    width: 40px;
    height: 40px;
    animation: nsl-loader-spin 2s linear infinite;
}

@keyframes nsl-loader-spin {
    0% {
        transform: rotate(0deg)
    }
    to {
        transform: rotate(360deg)
    }
}

#nsl-redirect-overlay-title {
    font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Oxygen-Sans, Ubuntu, Cantarell, "Helvetica Neue", sans-serif;
    font-size: 18px;
    font-weight: bold;
    color: #3C434A;
}

#nsl-redirect-overlay-text {
    font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Oxygen-Sans, Ubuntu, Cantarell, "Helvetica Neue", sans-serif;
    text-align: center;
    font-size: 14px;
    color: #3C434A;
}

/* Redirect END*/</style>		<style type="text/css" id="wp-custom-css">
			.johannes-cover-indent .header-mobile .johannes-site-branding, .johannes-cover-indent .johannes-header-main .johannes-site-branding {
    -webkit-filter: none;
    filter: none;
}

/* edited by milos */




/* GENERIC */
/* --------------------------- */
h1, h2, h3, h4, h5, h6, .h1, .h2, .h3, .h4, .h5, .h6 {
	font-weight:600;
}

article h1, article h2, article h3, article h4, article h5, article h6, article .h1, article .h2, article .h3, article .h4, article .h5, article .h6 {
	text-align:left;
}

.johannes-goto-top {
	border-radius:10px;
}



/* TODO
.johannes-goto-top, .johannes-goto-top:hover {
    border-radius: 10px 10px 0 0;
		opacity:1 !important;
}
.johannes-goto-top {
	bottom:-20px;
	transition: all .15s ease-in-out;
	width:50px;
	height:65px;
  background-color: #ff7900;
}

.johannes-goto-top:hover {
	bottom:0px;
}
*/

/* CATEGORY LISTING */
/* --------------------------- */
h2.entry-title, .h2 {
	font-size: 3.2rem;
	font-weight: 700;
}

.entry-category {
    margin-bottom: 1.5rem;
}

.category-pill .entry-category a {
	font-size: 1.4rem;
	font-weight: 600;
	padding: 6px 12px;
	border-radius:10px;
}

/* orange gray version */
.category-pill .entry-category a {
	background-color: #ff7800;
	color:#fff;
	box-shadow: none;
}

/* dark gray version 
.category-pill .entry-category a {
	background-color: #999;
	color:#eee;
	box-shadow: none;
}
*/
/* light gray version
.category-pill .entry-category a {
	background-color: #efefef;
	box-shadow: 0px 2px 9px -6px rgba(0,0,0,0.75);
	color:#aaa;
}
 */


/* TEST EFFECT ONLY */
.home .johannes-post {
 transition: transform .2s;
}
.home .johannes-post:hover {
	transform: scale(1.05);
}


/* the last child fix */
@media only screen and (min-width: 900px) {
	.johannes-items .col-12:last-child .johannes-post p:last-child {
		margin-bottom: 28.8px;
	}
}

@media only screen and (min-width: 600px) {
	.johannes-items .col-12:last-child .johannes-post p:last-child {
		margin-bottom: 28.8px;
	}
}


/* POST DETAIL */
/* --------------------------- */
/*
.johannes-related .johannes-post {
	border-bottom: none;
}

.johannes-related .entry-category a {
	background-color: #424f6f;
	color:#cfd6e8;
}
*/
.johannes-related .h2 {
	font-size: 4.7rem;
}

.section-title:after {
	background:none;
}

@media only screen and (min-width: 900px) {
	.section-title:after {
		margin: 16.8px auto 0;
	}
}


/* edited by milos */


/* GENERIC */
/* --------------------------- */
h1, h2, h3, h4, h5, h6, .h1, .h2, .h3, .h4, .h5, .h6 {
	font-weight:600;
}

/* CATEGORY LISTING */
/* --------------------------- */
h2.entry-title, .h2 {
	font-size: 3.2rem;
	font-weight: 700;
}

.entry-category {
    margin-bottom: 1.5rem;
}

.category-pill .entry-category a {
	font-size: 1.4rem;
	font-weight: 600;
	padding: 6px 12px;
	border-radius:10px;
}

/* orange gray version */
.category-pill .entry-category a {
	background-color: #ff7800;
	color:#fff;
	box-shadow: none;
}

/* dark gray version 
.category-pill .entry-category a {
	background-color: #999;
	color:#eee;
	box-shadow: none;
}
*/
/* light gray version
.category-pill .entry-category a {
	background-color: #efefef;
	box-shadow: 0px 2px 9px -6px rgba(0,0,0,0.75);
	color:#aaa;
}
 */


/* TEST EFFECT ONLY 
.home .johannes-post {
 transition: transform .2s;
}
.home .johannes-post:hover {
	transform: scale(1.05);
}
*/

/* the last child fix */
@media only screen and (min-width: 900px) {
	.johannes-items .col-12:last-child .johannes-post p:last-child {
		margin-bottom: 28.8px;
	}
}

@media only screen and (min-width: 600px) {
	.johannes-items .col-12:last-child .johannes-post p:last-child {
		margin-bottom: 28.8px;
	}
}


/* POST DETAIL */
/* --------------------------- */
/*
.johannes-related .johannes-post {
	border-bottom: none;
}

.johannes-related .entry-category a {
	background-color: #424f6f;
	color:#cfd6e8;
}
*/
.johannes-related .h2 {
	font-size: 4.7rem;
}

.section-title:after {
	background:none;
}

@media only screen and (min-width: 900px) {
	.section-title:after {
		margin: 16.8px auto 0;
	}
}





@media only screen and (min-width: 500px) {
	.slot-r div+ul, .slot-r nav+ul, .slot-r ul+ul {
		margin: 0px;
	}
}

.cu-double-top:before {
    content: "\f102";
    font: normal normal normal 25px/1 FontAwesome;
}

.cu-double-left:before {
    content: "\f100";
    font: normal normal normal 25px/1 FontAwesome;
}

.cu-search:before {
    content: "\f002";
    font: normal normal normal 18px/1 FontAwesome;
}

@media only screen and (min-width: 900px) {

.back-link {
    position: absolute;
    z-index: 1004;
    background: #ff7800;
    text-align: center;

    line-height: 1.2rem;
    font-size: 1.3rem;
    height: auto;
    color: #fff;
}

.back-link-loc-left {
    top: 10px;
    border-radius: 0 10px 10px 0;
    transform:translate(-75%,0);
    padding: 5px 0 5px 1rem;
    transition: all .15s ease-in-out;
}

.back-link-loc-left a{
    display:inline-block;
}

.back-link-loc-left i{
    padding: 0 1rem 0 1rem;
}
	
.back-link-loc-left:hover {
    left:0px;
    transform:translate(0,0);
}

.back-link-loc-top {
    left: 49%;
    position: absolute;
    top: -35px;
    border-radius: 0 0 10px 10px;
    padding: 10px 0 0 0;
    transition: all .15s ease-in-out;
}



.back-link.back-link-loc-top a, .back-link.back-link-loc-left a {
    color: #fff;
}

.back-link-loc-top:hover {
    top: 0;
}
}

.header-mobile .back-link {
    display: flex;
    align-items: center;
		margin-right: 20px;
}

.header-mobile .back-link:hover {
	background-color: #FF7d00;
  border-radius: 5px;
  padding: 5px;
}

.header-mobile .back-link a {
    display:none;
}

.header-mobile .back-link:hover a {
    display:initial;
		color:#FFF;
}

@media only screen and (min-width: 900px) {
	.widget-inside {
		padding-top: 0;
		padding-bottom: 0;
}
}


.johannes-menu-action .jf {
	margin-left:20px;
}




/* ---- dark m0de ---- */
body {
	background:#111;
	color: #fff !important;
}

h1, h2, h3, h4, h5, h6, .h1, .h2, .h3, .h4, .h5, .h6, .h0, .display-1, .has-large-font-size {
    color: #fff;
}

.johannes-wrapper {
		background:#1d1d1d;
}

.johannes-header-main .header-middle nav {
	background-color: rgba(0,0,0,.6);
  border-top-left-radius: 10px;
	border-bottom-left-radius: 10px
}

.johannes-header-main .slot-r>nav>ul>li:first-child {
    padding-left: 30px;
}

.johannes-header-main .johannes-hamburger li {
	background-color: rgba(0,0,0,.6);
  border-top-right-radius: 10px;
	border-bottom-right-radius: 10px;
	padding-right:30px;
}

/* SEARCH SIDEBAR */
/* --------------------------- */
.johannes-sidebar-hidden.johannes-sidebar {
	padding-left: 0px;
	padding-right: 0px;
}

.johannes-sidebar-branding .johannes-action-close {
	padding-right: 40px;
}


.johannes-cover-indent .header-mobile .johannes-site-branding, .johannes-cover-indent .johannes-header-main .johannes-site-branding {
    -webkit-filter: none;
    filter: none;
}

.johannes-sidebar-hidden.johannes-sidebar {
	background:#252525;
}
.johannes-sidebar .johannes-bg-alt-2 {
	background:#252525;
}

.johannes-sidebar-hidden.johannes-sidebar .johannes-bg-alt-1 {
	background:none;
}

.johannes-sidebar-hidden.johannes-sidebar .search-form button[type="submit"] {
	box-shadow:none;
	border-radius:10px;
	font-weight:600;
	font-size:1.7rem;
	transition: all .15s ease-in-out;
	background: #fff;
	color: #2d364c;
}

.johannes-sidebar-hidden.johannes-sidebar .search-form button[type="submit"]:hover {
	background-color: #ff7800;
	color:#fff;	
}
.white-bg-alt-1 .johannes-bg-alt-1 .tagcloud a, .white-bg-alt-2 .johannes-bg-alt-2 .tagcloud a {
	background: #444;
	color: #ccc;
	border-radius:10px;
	border:none;
	font-weight:800;
	font-size:1.1rem !important;
	transition: all .15s ease-in-out;
}

.white-bg-alt-1 .johannes-bg-alt-1 .tagcloud a:hover, .white-bg-alt-2 .johannes-bg-alt-2 .tagcloud a:hover {
	background-color: #ff7800;
	color:#fff;
	border:none;
	/*transform: scale(1.05);*/
}

.johannes-action-close {
	color:#fff;
}


.widget {
	margin-bottom:0px;
}

.widget-inside {
	padding: 15px 30px;
}

.widget a.rsswidget, .widget_recent_comments a, .widget_recent_entries a,
.widget ul a {
	font-weight: 500
}

.white-bg-alt-1 .johannes-bg-alt-1 .tagcloud a, .white-bg-alt-2 .johannes-bg-alt-2 .tagcloud a {
	font-weight: 700;
}

.widget_categories ul {
	display:flex;
	flex-flow: row wrap;
  align-items: stretch;
}

.widget li {
	margin-bottom: 3px;
}

.widget.widget_categories li {
	margin-bottom:10px;
}

.widget.widget_categories li a {
	background: none;
	border-radius: 10px;
	border: none;
	font-size: 1.5rem;
	font-weight: 700;
	line-height: 30px;
	text-align: center;
	padding:0 12px;
	text-transform: uppercase;
	margin: 0 10px;
}

.johannes-sidebar .widget-title {
    margin-bottom: 2rem;
}

.johannes-sidebar .johannes-bg-alt-2 li a {
	background:none;
}


.johannes-sidebar #recent-posts-2, .johannes-sidebar #categories-2, .johannes-sidebar #tag_cloud-2, .johannes-sidebar #archives-2, .johannes-sidebar #meta-2 {
    border-bottom: 3px solid #252525;
		box-shadow: 0px 0px 75px 0px rgba(0,0,0,0.5);
}

.johannes-sidebar #recent-posts-2 ul li  {
	margin-bottom:1.5rem;
}

.johannes-sidebar #recent-posts-2 ul li a {
	border-left: 3px solid #ccc;
	padding-left: 1rem;
	color: #ccc;
}

.johannes-sidebar #recent-posts-2 ul li a:hover {
	border-left: 3px solid #ff7900;
	color:#ff7900;
}

.johannes-sidebar #archives-2 ul li  {
	margin-bottom:0.5rem;
}

.johannes-sidebar #archives-2 ul li a, .johannes-sidebar #meta-2 ul li a {
	color: #ccc;
}

.johannes-sidebar #archives-2 ul li a:hover, 
.johannes-sidebar #meta-2 ul li a:hover {
	color: #ff7900;
}

.johannes-sidebar-branding {
	height:100px;
}

.johannes-sidebar-branding img {
	height:60px;
	margin-top: 5px;
}

.johannes-sidebar-branding picture {
	padding-left:30px;
}



/* --------------------------- */






.johannes-cover {
    border-bottom: 3px solid #252525;
		box-shadow: 0px 0px 20px 0px rgba(0,0,0,1);	
}

.johannes-section.wa-layout.johannes-cover {
    margin-bottom: 48px;

}

.entry-tags a {
	font-size: 1.4rem;
	font-weight: 600;
	padding: 6px 20px;
	border-radius:10px;
	background-color: #444;
	color:#ccc;	
	margin: 10px 10px 0 0;
	transition: all .15s ease-in-out;
}

.entry-tags a:hover {
	background:#ff7800;
	color:#fff;
	transform: scale(1.05);
}


.entry-tags {
	color: #1d1d1d;
}
.entry-tags span {
    display: block;
    font-size: 2.2rem;
    opacity: 1;
    border-top: 2px solid #252525;
    padding: 10px 0;
    color: #ccc;
}

.entry-meta a {
	color:#999;
}
.entry-meta a:hover {
	color:#fff;
}

.white-bg-alt-2 .johannes-bg-alt-2 .category-pill .entry-category a:hover {
	background:none;
	color:#fff;
}

/* uncatorized */
.entry-content a {
	font-weight:600;
}
.category-pill .entry-category a, .johannes-sidebar li.cat-item-1 a, .widget.widget_categories li.cat-item-1 a {
	border-left: 2px solid #999;
	border-top: 2px solid rgba(0,0,0,0);
	border-right: 2px solid #999;
	border-bottom: 2px solid rgba(0,0,0,0);
	color:#999;
	background:none;
	box-shadow: none;
	transition: all .15s ease-in-out;
}
.category-pill .entry-category a:hover, .johannes-sidebar li.cat-item-1 a:hover, .widget.widget_categories li.cat-item-1 a:hover {
	border-left: 2px solid rgba(0,0,0,0);
	border-top: 2px solid #999;
	border-right: 2px solid rgba(0,0,0,0);
	border-bottom: 2px solid #999;
	color:#fff;
	background:none;
}


.category-uncategorized .entry-title a {
	color:#fff;
	border-left:3px solid #999;
	padding-left:2rem;
}

/* network */
.category-network .entry-content a {
	color:#f8099c;
	font-weight:600;
}
.category-pill .entry-category a.cat-20, .johannes-sidebar li.cat-item-20 a, .widget.widget_categories li.cat-item-20 a {
	box-shadow:none;
	border-left: 2px solid #f8099c;
	border-top: 2px solid rgba(0,0,0,0);
	border-right: 2px solid #f8099c;
	border-bottom: 2px solid rgba(0,0,0,0);
	transition: all .15s ease-in-out;
	color:#f8098c;
}
.category-pill .entry-category a.cat-20:hover, .johannes-sidebar li.cat-item-20 a:hover, .widget.widget_categories li.cat-item-20 a:hover {
	border-left: 2px solid rgba(0,0,0,0);
	border-top: 2px solid #f8099c;
	border-right: 2px solid rgba(0,0,0,0);
	border-bottom: 2px solid #f8099c;
	color:#fff;
}
.category-network .entry-title a {
	color:#fff;
	border-left:3px solid #f8098c;
	padding-left:2rem;
}

/* PC */
.category-pc .entry-content a {
	color:#a7f432;
	font-weight:600;
}
.category-pill .entry-category a.cat-21, .johannes-sidebar li.cat-item-21 a, .widget.widget_categories li.cat-item-21 a {
	box-shadow:none;
	border-left: 2px solid #a7f432;
	border-top: 2px solid rgba(0,0,0,0);
	border-right: 2px solid #a7f432;
	border-bottom: 2px solid rgba(0,0,0,0);
	transition: all .15s ease-in-out;
	color:#a7f432;
}
.category-pill .entry-category a.cat-21:hover, .johannes-sidebar li.cat-item-21 a:hover, .widget.widget_categories li.cat-item-21 a:hover {
	border-left: 2px solid rgba(0,0,0,0);
	border-top: 2px solid #a7f432;
	border-right: 2px solid rgba(0,0,0,0);
	border-bottom: 2px solid #a7f432;
	color:#fff;
}
.category-pc .entry-title a {
	color:#fff;
	border-left:3px solid #a7f432;
	padding-left:2rem;
}

/* mobile */
.category-mobile .entry-content a {
	color:#0cbfe9;
	font-weight:600;
}
.category-pill .entry-category a.cat-22, .johannes-sidebar li.cat-item-22 a, .widget.widget_categories li.cat-item-22 a {
	box-shadow:none;
	border-left: 2px solid #0cbfe9;
	border-top: 2px solid rgba(0,0,0,0);	
	border-right: 2px solid #0cbfe9;
	border-bottom: 2px solid rgba(0,0,0,0);
	transition: all .15s ease-in-out;
	color:#0cbfe9;
}
.category-pill .entry-category a.cat-22:hover, .johannes-sidebar li.cat-item-22 a:hover, .widget.widget_categories li.cat-item-22 a:hover {
	border-left: 2px solid rgba(0,0,0,0);
	border-top: 2px solid #0cbfe9;	
	border-right: 2px solid rgba(0,0,0,0);
	border-bottom: 2px solid #0cbfe9;
	color:#fff;
}
.category-mobile .entry-title a {
	color:#fff;
	border-left:3px solid #0cbfe9;
	padding-left:2rem;
}

/* iot */
.category-iot .entry-content a {
	color:#fe5a1d;
	font-weight:600;
}
.category-pill .entry-category a.cat-23, .johannes-sidebar li.cat-item-23 a, .widget.widget_categories li.cat-item-23 a {
	box-shadow:none;
	border-left: 2px solid #fe5a1d;
	border-top: 2px solid rgba(0,0,0,0);
	border-right: 2px solid #fe5a1d;
	border-bottom: 2px solid rgba(0,0,0,0);
	transition: all .15s ease-in-out;
	color:#fe5a1d;
}
.category-pill .entry-category a.cat-23:hover, .johannes-sidebar li.cat-item-23 a:hover, .widget.widget_categories li.cat-item-23 a:hover {
	border-left: 2px solid rgba(0,0,0,0);
	border-top: 2px solid #fe5a1d;
	border-right: 2px solid rgba(0,0,0,0);
	border-bottom: 2px solid #fe5a1d;
	color:#fff;
}
.category-iot .entry-title a {
	color:#fff;
	border-left:3px solid #fe5a1d;
	padding-left:2rem;
}

/* events */
.category-events .entry-content a {
	color:#ff003f;
	font-weight:600;
}
.category-pill .entry-category a.cat-32, .johannes-sidebar li.cat-item-32 a, .widget.widget_categories li.cat-item-32 a {
	box-shadow:none;
	border-left: 2px solid #ff003f;
	border-top: 2px solid rgba(0,0,0,0);
	border-right: 2px solid #ff003f;
	border-bottom: 2px solid rgba(0,0,0,0);
	transition: all .15s ease-in-out;
	color:#ff003f;
}
.category-pill .entry-category a.cat-32:hover, .johannes-sidebar li.cat-item-32 a:hover, .widget.widget_categories li.cat-item-32 a:hover {
	border-left: 2px solid rgba(0,0,0,0);
	border-top: 2px solid #ff003f;
	border-right: 2px solid rgba(0,0,0,0);
	border-bottom: 2px solid #ff003f;
	color:#fff;
}
.category-events .entry-title a {
	color:#fff;
	border-left:3px solid #ff003f;
	padding-left:2rem;
}


.johannes-bg-alt-2.johannes-related {
	box-shadow: inset 0 0 250px 0 rgba(0,0,0,0.75);
	margin:0;
	border-top:3px solid #252525;
}



li#menu-item-367 a:hover {
	color:#0cbfe9;
}
li#menu-item-368 a:hover {
	color:#f8099c;
}
li#menu-item-369 a:hover {
	color:#a7f432;
}
#menu-item-370 a:hover {
	color:#fe5a1d;
}
li#menu-item-371 a:hover {
	color:#999;
}


/* TEST HOVER EFFECT */
/*.home*/ .johannes-post {
  transition: all .15s ease-in-out;
	padding:2rem 0 1.5rem 0;
	border-radius:20px;
	border:3px solid #252525;
	background: linear-gradient(to bottom, #1d1d1d 0%,#252525 100%);
	margin-bottom:4rem;
}
/*.home*/ .johannes-post:hover {
	transform: scale(1.05);
	box-shadow: 0px 0px 20px -10px rgba(0,0,0,1);
	border:3px solid #252525;
	background: -moz-linear-gradient(top, #1d1d1d 0%, #252525 100%); /* FF3.6-15 */
	background: -webkit-linear-gradient(top, #1d1d1d 0%,#252525 100%); /* Chrome10-25,Safari5.1-6 */
	background: linear-gradient(to bottom, #1d1d1d 0%,#252525 100%); /* W3C, IE10+, FF16+, Chrome26+, Opera12+, Safari7+ */
	/* sorry old crappy IE 
	filter: progid:DXImageTransform.Microsoft.gradient( startColorstr='#1d1d1d', endColorstr='#252525',GradientType=0 ); */ /* IE6-9 */
}


.johannes-related .johannes-post {
	padding:2rem 2.5rem
}

body .johannes-wrapper .meks_ess a {
	border-radius:10px;
	margin-right:1.8rem;
}
body .johannes-wrapper .meks_ess {
    border:none;
}


.johannes-footer {
	background:#111;
	border-top: 3px solid #252525;
	box-shadow: 0px 0px 20px -10px rgba(0,0,0,1);
	color:#666;
}
.footer-divider {
	display:none;
}


.header-mobile img {
		height: 50px;
	}

.johannes-header-main .container {
	padding-left:48px;
}

.johannes-header-main img {
		height: 80px
}

.slot-r div+ul, .slot-r nav+ul, .slot-r ul+ul {
	margin-left:0;
}

body .johannes-wrapper .meks_ess {
	padding-top: 0;
}

/*
@media (max-width: 1050px)
{
	body.single-post .single-md-content   {
		max-width:100%;
	}
}
*/

@media (min-width: 359px)
{
	.container {
			max-width: 90%;
	}
/*	
	body.single-post .single-md-content {
	max-width:90%;
	}
*/
}

@media (min-width: 600px)
{
/*	
	body.single-post .single-md-content {
	max-width:80%;
	}
*/
	.meks_ess.no-labels {
		position: absolute;
		left: 100%;
		margin-top: 0;
		margin-left: 20px;
	}
	
	.johannes-section .johannes-share-label {
		display:none !important;
	}
	
	body .johannes-wrapper .meks_ess a {
		min-width: 38px;
		margin-bottom: 8px;
		border-radius:8px;
	}
}

@media (min-width: 900px) {
/*
	body.single-post .single-md-content {
	max-width: 90%;
	}
*/
}

.johannes-menu-mobile .johannes-search {
	display:none;
}

.header-mobile .slot-l {
	max-width:50%;
}

@media (min-width: 900px) {
	.avast-search {
		top: 80px;
	}
}

@media (min-width: 1050px) {
	.avast-search {
		top: 100px;
	}
}

.avast-search {
	position:absolute;
	display:flex;
	height:3rem;
	/*transform:translate(10px, 110%)*/
  font-weight:500;
	font-style:italic;
}

.johannes-menu-mobile .avast-search {
	height:3rem;
	font-weight:500;
	font-style:italic;
	position:initial;
	margin-top: 10px;
}

.avast-search button {
	min-height: 0 !important;
	line-height:3rem;
	padding: 0px 0px 0px 10px;
	border-top-right-radius: 5px;
	border-bottom-right-radius: 5px;
	background-color: #FFFFFF00;
	color: #FFF;
	box-shadow:none !important;
	padding-right:10px;
	border-width: 2px;
	border-color: #fff;
	border-style:solid;
	border-left: none;
	border-right: none;
	border-top: none;
}

.avast-search button:hover {
	color: #FF7D00;
}


.avast-search input {
	padding: 0px 10px 0px 10px;
	border-bottom-left-radius: 5px;
	border-top-left-radius: 5px;
	border-width: 2px;
	color: #FFF;
	background-color: #00000000;
	border-left: none;
	border-right: none;
	border-top: none;
	border-color: #FFF;
}

.avast-search input:focus {
	outline:none;
}

.avast-search ::placeholder {
	color: #FFF;
}


@media (min-width: 900px) {
	.size-johannes-wa-3 {
			height: 450px !important;
	}
}
@media (min-width: 600px) {
	.size-johannes-wa-3 {
			height: 450px !important;
	}
}


.wp-block-table.is-style-regular tbody tr, .entry-content table tr, .comment-content table tr {
    border-bottom: 1px solid #666;
}

.wp-block-table td {
    border-right: 1px solid #666;
}

.wp-block-table td:last-child {
    border-right: none;
}

.wp-block-table tr:first-child {
	/*border-top: 1px solid #666;*/
	background-color: #333;
}

code {
	background: inherit;
	color: limegreen;
}

@media (min-width: 900px) {
	.container {
     max-width: 1224px;
	}
}

article {
	word-wrap: break-word;
	text-align:justify;
  -webkit-hyphens: auto;
  -moz-hyphens: auto;
  -ms-hyphens: auto;
  hyphens: auto;
}

.entry-title a {text-align:left;}



@media only screen and (max-width: 900px) {
	
	table {
		display:flex;
		word-wrap:break-word;
	}
	
	article table td {
		display: flex;
		word-wrap:break-word;
		border-right: 1px solid #666;
		border-left: 1px solid #666;
	}
  .wp-block-table td:last-child {
    border-right: 1px solid #666;
}
	.wp-block-table tr:first-child {
	 border-top: 1px solid #666;
}
}

.wp-block-pullquote:not(.is-style-solid-color) {
	padding-left: 2em;
	margin: 2em 0.2em;
	/*border: none;*/
	color: #aaa;
	position:relative;
	/*background-color: #252525;*/
	border-radius: 10px;
	border: 2px solid #252525;
  background: linear-gradient(to bottom, #1d1d1d 0%,#252525 100%);	
}

.wp-block-pullquote cite {
    font-size:0.7em;
	margin-bottom:0.5em;
}

.wp-block-pullquote p {
    border-left: 4px solid #444;
		padding-left: 15px;
}


.wp-block-pullquote:not(.is-style-solid-color):before {
	content: '\201c';
	position: absolute;
	top: 0.25em;
	left: 0.1em;
	font-size: 10em;
	line-height: 0em;
	color: #999;
	font-weight: normal;
	opacity:0.7;
}

.wp-block-pullquote:not(.is-style-solid-color):after {
	content: '\201d';
	position: absolute;
	bottom: -0.21em;
	right: 0.1em;
	font-size: 10em;
	line-height: 0em;
	color: #999;
	font-weight: normal;
	opacity:0.7;
}

.category-events .wp-block-pullquote:not(.is-style-solid-color):after, .category-events .wp-block-pullquote:not(.is-style-solid-color):before {
	color: #ff003f;
}

.category-iot .wp-block-pullquote:not(.is-style-solid-color):after, .category-iot .wp-block-pullquote:not(.is-style-solid-color):before {
	color: #fe5a1d;
}

.category-mobile .wp-block-pullquote:not(.is-style-solid-color):after, .category-mobile .wp-block-pullquote:not(.is-style-solid-color):before {
	color: #0cbfe9;
}

.category-network .wp-block-pullquote:not(.is-style-solid-color):after, .category-network .wp-block-pullquote:not(.is-style-solid-color):before {
	color: #f8098c;
}

.category-pc .wp-block-pullquote:not(.is-style-solid-color):after, .category-pc .wp-block-pullquote:not(.is-style-solid-color):before {
	color: #a7f432;
}

/*
body.search .johannes-section.johannes-cover {
	background-image: url("https://decoded.avast.io/wp-content/uploads/sites/2/2019/07/shutterstock_1295299108-1.jpg");
  background-position: center;
  background-repeat: no-repeat;
  background-size: cover; 
}

body.search .johannes-section.johannes-cover:before {
	content: "";
    position: absolute;
    height: 100%;
    width: 100%;
    z-index: 0;
    background-color: rgba(0,0,0,.5);
    left: 0;
    top: 0;
    opacity: 1;
}
*/

.entry-content h3 {font-size:3.2rem;}

@media (max-width: 900px) and (min-width: 600px) {
.entry-content h3 {
    font-size: 2.5rem;
}
}

.johannes-cover>.section-bg+.container { 
	text-shadow: 3px 2px 6px rgba(0,0,0,0.5); 
}

@media (min-width: 900px) {
.col-lg-8 {
    -webkit-box-flex: 0;
    -webkit-flex: 0 0 80%;
    -ms-flex: 0 0 80%;
    flex: 0 0 80%;
    max-width: 80%;
	}}

/* ul li category colors */
.entry-content ul li:before {
	padding-left: 2rem;
}
.category-uncategorized .entry-content ul li:before {
	color: #999;
}
.category-network .entry-content ul li:before {
	color: #f8098c;
}
.category-pc .entry-content ul li:before {
	color: #a7f432;
}
.category-mobile .entry-content ul li:before {
	color: #0cbfe9;
}
.category-iot .entry-content ul li:before {
	color: #fe5a1d;
}
.category-events .entry-content ul li:before {
	color: #ff003f;
}

/* ol margin fix */
.entry-content>ol li {
  margin: 20px 20px 0 20px;
}

.twitter-tweet {margin:auto;}		</style>
		<style id="kirki-inline-styles"></style>	</head>

	<body class="post-template-default single single-post postid-5922 single-format-standard wp-custom-logo wp-embed-responsive sfly_guest-author-post johannes-sidebar-none johannes-cover-indent white-bg-alt-1 white-bg-alt-2 johannes-header-no-margin johannes-header-labels-hidden johannes-v_1_1_3 johannes-child">

	<div class="johannes-wrapper">

	    		    <header class="johannes-header johannes-header-main d-none d-lg-block">
		        				<div class="back-link back-link-loc-left">
					<a href="https://avast.io/">
						More on<br>Avast Inside Out</br></span>					</a>
					<i class="cu-double-left"></i>
				</div>
					    	
		        <div class="header-middle header-layout-1">
    <div class="container d-flex justify-content-between align-items-center">
        <div class="slot-l">
            <div class="johannes-site-branding">
    <span class="site-title h1 "><a href="https://decoded.avast.io/" rel="home"><picture class="johannes-logo"><source media="(min-width: 1050px)" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2019/06/Asset-22ldpi.png, https://decoded.avast.io/wp-content/uploads/sites/2/2019/06/Asset-22ldpi-1.png 2x"><source srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2019/06/Asset-22ldpi.png"><img src="https://decoded.avast.io/wp-content/uploads/sites/2/2019/06/Asset-22ldpi.png" alt="Avast Threat Labs"></picture></a></span></div>        </div>
        <div class="slot-r">
        	            	    <nav class="menu-main-menu-container"><ul id="menu-main-menu" class="johannes-menu johannes-menu-primary"><li id="menu-item-367" class="menu-item menu-item-type-taxonomy menu-item-object-category menu-item-367"><a href="https://decoded.avast.io/category/mobile/">Mobile</a></li>
<li id="menu-item-368" class="menu-item menu-item-type-taxonomy menu-item-object-category menu-item-368"><a href="https://decoded.avast.io/category/network/">Network</a></li>
<li id="menu-item-369" class="menu-item menu-item-type-taxonomy menu-item-object-category current-post-ancestor current-menu-parent current-post-parent menu-item-369"><a href="https://decoded.avast.io/category/pc/">PC</a></li>
<li id="menu-item-370" class="menu-item menu-item-type-taxonomy menu-item-object-category menu-item-370"><a href="https://decoded.avast.io/category/iot/">IoT</a></li>
<li id="menu-item-371" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-371"><a href="https://www.avast.com/en-us/careers">Careers</a></li>
</ul></nav>                                    	             		<ul class="johannes-menu-action johannes-hamburger">
	<li><a href="javascript:void(0);"><span class="header-el-label">Menu</span><i class="jf jf-menu"></i></a></li>
</ul>
             	             		<form class="avast-search" action="https://decoded.avast.io/" method="get">
	<input name="s" type="test" value="" placeholder="Type here to search...">
	<button type="submit"><i class="cu-search"></i></button>
</form>             	                    </div>
    </div>
</div>		    	
		    </header>

		    <div class="johannes-header header-mobile d-lg-none">
    <div class="container d-flex justify-content-between align-items-center">
        <div class="slot-l">
            <div class="johannes-site-branding">
    <span class="site-title h1 "><a href="https://decoded.avast.io/" rel="home"><picture class="johannes-logo"><source media="(min-width: 1050px)" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2019/06/Asset-22ldpi.png"><source srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2019/06/Asset-22ldpi.png"><img src="https://decoded.avast.io/wp-content/uploads/sites/2/2019/06/Asset-22ldpi.png" alt="Avast Threat Labs"></picture></a></span></div>        </div>
        <div class="slot-r">
            		<div class="back-link back-link-loc-left">
		    <a href="https://avast.io/">
			<span>More on Avast Inside Out</span>
		    </a>
	            <i class="cu-double-top"></i>
		</div>
            	        <div class="mobile-search">
				<a href="/?s="><i class="cu-search"></i></a>
			</div>
			<ul class="johannes-menu-action johannes-hamburger">
	<li><a href="javascript:void(0);"><span class="header-el-label">Menu</span><i class="jf jf-menu"></i></a></li>
</ul>
        </div>
    </div>
</div>

		    
	    

            <div class="johannes-section category-pill johannes-cover johannes-bg-alt-2 johannes-section-margin-alt size-johannes-single-3">
    
                <div class="section-bg">
            <img width="1920" height="500" src="https://decoded.avast.io/wp-content/uploads/sites/2/2022/06/GettyImages-1369156753-1920x500.jpg" class="attachment-johannes-single-3 size-johannes-single-3 wp-post-image" alt="" />                        </div>
        
    <div class="container">
        <div class="section-head johannes-content-alt section-head-alt">
                                      <h1 class="entry-title">Linux Threat Hunting: &#8216;Syslogk&#8217; a kernel rootkit found under development in the wild</h1>                            <div class="entry-meta">
                    <span class="meta-item meta-author"><span class="vcard author">by <a href="">David Álvarez and Jan Neduchal</a></span></span><span class="meta-item meta-date"><span class="updated">June 13, 2022</span></span><span class="meta-item meta-rtime">13 min read</span>                </div>
                    </div>
    </div>
</div>


<div class="johannes-section">
    <div class="container">
        <div class="section-content row justify-content-center">
            
            
            <div class="col-12 col-lg-8 single-md-content col-md-special johannes-order-1 ">
                 
                <article id="post-5922" class="post-5922 post type-post status-publish format-standard has-post-thumbnail hentry category-pc tag-analysis tag-linux tag-malware tag-rootkit">

                    
                    
                    
                    <div class="entry-content entry-single clearfix">
                        
<h1>Introduction</h1>



<p>Rootkits are dangerous pieces of malware. Once in place, they are usually really hard to detect. Their code is typically more challenging to write than other malware, so developers resort to code reuse from open source projects. As rootkits are very interesting to analyze, we are always looking out for these kinds of samples in the wild.</p>



<p><a href="https://github.com/yaoyumeng/adore-ng" target="_blank" rel="noreferrer noopener">Adore-Ng</a> is a relatively old, open-source, well-known kernel rootkit for Linux, which initially targeted kernel 2.x but is currently updated to target kernel 3.x. It enables hiding processes, files, and even the kernel module, making it harder to detect. It also allows authenticated user-mode processes to interact with the rootkit to control it, allowing the attacker to hide many custom malicious artifacts by using a single rootkit.</p>



<p class="has-text-align-left">In<code> early 2022</code>, we were analyzing a rootkit mostly based on <code>Adore-Ng</code> that we found in the wild, apparently under development. After obtaining the sample, we examined the <code>.modinfo</code> section and noticed it is compiled for a specific kernel version.</p>


<div class="wp-block-image">
<figure class="aligncenter size-full"><a href="https://decoded.avast.io/wp-content/uploads/sites/2/2022/06/image.png"><img loading="lazy" width="798" height="94" src="https://decoded.avast.io/wp-content/uploads/sites/2/2022/06/image.png" alt="" class="wp-image-5962" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2022/06/image.png 798w, https://decoded.avast.io/wp-content/uploads/sites/2/2022/06/image-300x35.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2022/06/image-768x90.png 768w" sizes="(max-width: 798px) 100vw, 798px" /></a></figure></div>


<p class="has-text-align-left">As you may know, even if it is possible to &#8216;force load&#8217; the module into the kernel by using the <code>--force</code> flag of the <a href="https://man7.org/linux/man-pages/man8/insmod.8.html" target="_blank" rel="noreferrer noopener">insmod</a> Linux command, this operation can fail if the required symbols are not found in the kernel; this can often lead to a system crash.</p>



<figure class="wp-block-table"><table><tbody><tr><td class="has-text-align-center" data-align="center"><code>insmod -f {module}</code></td></tr></tbody></table></figure>



<p>We discovered that the kernel module could be successfully loaded without forcing into a default <a href="https://www.linuxvmimages.com/images/centos-6/" target="_blank" rel="noreferrer noopener">Centos 6.10</a> distribution, as the rootkit we found is compiled for a similar kernel version.</p>



<p>While looking at the file&#8217;s strings, we quickly identified the <code>PgSD93ql</code> hardcoded file name in the kernel rootkit to reference the payload. This payload file name is likely used to make it less obvious for the sysadmin, for instance, it can look like a legitimate <a href="https://www.postgresql.org/" target="_blank" rel="noreferrer noopener">PostgreSQL</a> file.</p>


<div class="wp-block-image">
<figure class="aligncenter size-full"><a href="https://decoded.avast.io/wp-content/uploads/sites/2/2022/06/image3.png"><img loading="lazy" width="536" height="94" src="https://decoded.avast.io/wp-content/uploads/sites/2/2022/06/image3.png" alt="" class="wp-image-6020" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2022/06/image3.png 536w, https://decoded.avast.io/wp-content/uploads/sites/2/2022/06/image3-300x53.png 300w" sizes="(max-width: 536px) 100vw, 536px" /></a></figure></div>


<p>Using this hardcoded file name, we extracted the file hidden by the rootkit. It is a compiled backdoor trojan written in C programming language; Avast&#8217;s antivirus engine detects and classifies this file as <code>ELF:Rekoob</code> &#8211; which is widely known as the <a href="https://malpedia.caad.fkie.fraunhofer.de/details/elf.rekoobe" target="_blank" rel="noreferrer noopener">Rekoobe</a> malware family. <code>Rekoobe</code> is a piece of code implanted in legitimate servers. In this case it is embedded in a fake SMTP server, which spawns a shell when it receives a specially crafted command. In this post, we refer to this rootkit as <code>Syslogk</code> rootkit, due to how it ‘reveals’ itself when specially crafted data is written to the file <code>/proc/syslogk</code> .</p>



<h1>Analyzing the Syslogk rootkit</h1>



<p>The <code>Syslogk</code> rootkit is heavily based on <code>Adore-Ng</code> but incorporates new functionalities making the user-mode application and the kernel rootkit hard to detect.</p>



<h2>Loading the kernel module</h2>



<p>To load the rootkit into kernel space, it is necessary to approximately match the kernel version used for compiling; it does not have to be strictly the same.</p>



<figure class="wp-block-table"><table><tbody><tr><td class="has-text-align-center" data-align="center"><code>vermagic=2.6.32-696.23.1.el6.x86_64 SMP mod_unload modversions</code></td></tr></tbody></table></figure>



<p>For example, we were able to load the rootkit without any effort in a <a href="https://www.linuxvmimages.com/images/centos-6/" target="_blank" rel="noreferrer noopener">Centos 6.10</a> virtual machine by using the <a href="https://linux.die.net/man/8/insmod" target="_blank" rel="noreferrer noopener">insmod</a> Linux command.</p>



<p>After loading it, you will notice that the malicious driver does not appear in the list of loaded kernel modules when using the <a href="https://linux.die.net/man/8/lsmod" target="_blank" rel="noreferrer noopener">lsmod</a> command.</p>



<h2>Revealing the rootkit</h2>



<p>The rootkit has a <code>hide_module</code> function which uses the <a href="https://www.kernel.org/doc/html/v5.8/core-api/kernel-api.html#c.list_del" target="_blank" rel="noreferrer noopener">list_del</a> function of the <a href="https://www.kernel.org/doc/html/v5.8/core-api/kernel-api.html" target="_blank" rel="noreferrer noopener">kernel API</a> to remove the module from the linked list of kernel modules. Next, it also accordingly updates its internal <code>module_hidden</code> flag.</p>



<p>Fortunately, the rootkit has a functionality implemented in the <code>proc_write</code> function that exposes an interface in the /proc file system which reveals the rootkit when the value <code>1</code> is written into the file <em><code>/proc/syslogk</code></em>.</p>


<div class="wp-block-image">
<figure class="aligncenter size-full"><a href="https://decoded.avast.io/wp-content/uploads/sites/2/2022/06/image8.png"><img loading="lazy" width="446" height="172" src="https://decoded.avast.io/wp-content/uploads/sites/2/2022/06/image8.png" alt="" class="wp-image-6021" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2022/06/image8.png 446w, https://decoded.avast.io/wp-content/uploads/sites/2/2022/06/image8-300x116.png 300w" sizes="(max-width: 446px) 100vw, 446px" /></a></figure></div>


<p>Once the rootkit is revealed, it is possible to remove it from memory using the <a href="https://linux.die.net/man/8/rmmod" target="_blank" rel="noreferrer noopener">rmmod</a> Linux command. The <a href="#files">Files section</a> of this post has additional details that will be useful for programmatically uncloaking the rootkit.</p>



<h2>Overview of the Syslogk rootkit features</h2>



<p>Apart from hiding itself, making itself harder to detect when implanted, <code>Syslogk</code> can completely hide the malicious payload by taking the following actions:</p>



<ul><li>The <code>hk_proc_readdir</code> function of the rootkit hides directories containing malicious files, effectively hiding them from the operating system.</li><li>The malicious processes are hidden via <code>hk_getpr</code> &#8211; a mix of Adore-Ng functions for hiding processes.</li><li>The malicious payload is hidden from tools like <code>Netstat</code>; when running, it will not appear in the list of services. For this purpose, the rootkit uses the function <code>hk_t4_seq_show</code>.</li><li>The malicious payload is not continuously running. The attacker remotely executes it on demand when a specially crafted TCP packet (details below) is sent to the infected machine, which inspects the traffic by installing a <code>netfilter hook</code>.</li><li>It is also possible for the attacker to remotely stop the payload. This requires using a <code>hardcoded key</code> in the rootkit and knowledge of some fields of the <code>magic packet</code> used for remotely starting the payload.&nbsp;</li></ul>



<p>We observed that the <code>Syslogk</code> rootkit (and Rekoobe payload) perfectly align when used covertly in conjunction with a fake SMTP server. Consider how stealthy this could be; a backdoor that does not load until some <a href="https://www.drkns.net/kernel-who-does-magic/" target="_blank" rel="noreferrer noopener">magic packets</a> are sent to the machine. When queried, it appears to be a legitimate service hidden in memory, hidden on disk, remotely &#8216;magically&#8217; executed, hidden on the network. Even if it is found during a network port scan, it still seems to be a legitimate SMTP server.</p>



<p>For compromising the operating system and placing the mentioned hiding functions, <code>Syslogk</code> uses the already known <a href="https://github.com/ksaravan910/FileCloakingRootkit/blob/master/rootkit.c#L64" target="_blank" rel="noreferrer noopener">set_addr_rw</a> and <a href="https://github.com/ksaravan910/FileCloakingRootkit/blob/master/rootkit.c#L81" target="_blank" rel="noreferrer noopener">set_addr_ro</a> rootkit functions, which adds or removes writing permissions to the <code>Page Table Entry</code> (<a href="https://www.kernel.org/doc/gorman/html/understand/understand006.html" target="_blank" rel="noreferrer noopener">PTE</a>) structure.</p>



<p>After adding writing permissions to the PTE, the rootkit can hook the functions declared in the <code>hks</code> internal rootkit structure.</p>



<figure class="wp-block-table"><table><tbody><tr><td>PTE Hooks</td></tr><tr><td>Type of the function</td><td>Offset</td><td>Name of the function</td></tr><tr><td>Original</td><td>hks+(0x38) * 0</td><td>proc_root_readdir</td></tr><tr><td>Hook</td><td>hks+(0x38) * 0 + 0x10</td><td>hk_proc_readdir</td></tr><tr><td>Original</td><td>hks+(0x38) * 1</td><td>tcp4_seq_show</td></tr><tr><td>Hook</td><td>hks+(0x38) * 1 + 0x10</td><td>hk_t4_seq_show</td></tr><tr><td>Original</td><td>hks+(0x38) * 2</td><td>sys_getpriority</td></tr><tr><td>Hook</td><td>hks+(0x38) * 2 + 0x10</td><td>hk_getpr</td></tr></tbody></table></figure>



<p>The mechanism for placing the hooks consists of identifying the hookable kernel symbols via <code>/proc/kallsyms</code> as implemented in the <code>get_symbol_address</code> function of the rootkit (code reused from <a href="https://github.com/milabs/kmod_hooking/blob/master/module-init.c#L237" target="_blank" rel="noreferrer noopener">this repository</a>). After getting the address of the symbol, the <code>Syslogk</code> rootkit uses the <a href="https://github.com/vmt/udis86" target="_blank" rel="noreferrer noopener">udis86</a> project for hooking the function.</p>



<h2>Understanding the directory hiding mechanism</h2>



<p>The Virtual File System (VFS) is an abstraction layer that allows for FS-like operation over something that is typically not a traditional FS. As it is the entry point for all the File System queries, it is a good candidate for the rootkits to hook.</p>



<p>It is not surprising that the Syslogk rootkit hooks the VFS functions for hiding the Rekoobe payload stored in the file<code> /etc/rc-Zobk0jpi/PgSD93ql</code> .</p>



<p>The hook is done by<code> hk_root_readdir</code> which calls to <code>nw_root_filldir</code> where the directory filtering takes place.</p>


<div class="wp-block-image">
<figure class="aligncenter size-full"><a href="https://decoded.avast.io/wp-content/uploads/sites/2/2022/06/image11.png"><img loading="lazy" width="410" height="147" src="https://decoded.avast.io/wp-content/uploads/sites/2/2022/06/image11.png" alt="" class="wp-image-6022" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2022/06/image11.png 410w, https://decoded.avast.io/wp-content/uploads/sites/2/2022/06/image11-300x108.png 300w" sizes="(max-width: 410px) 100vw, 410px" /></a></figure></div>


<p>As you can see, any directory containing the substring <code>-Zobk0jpi</code> will be hidden.</p>



<p>The function <code>hk_get_vfs</code> opens the root of the file system by using <a href="https://www.unix.com/man-page/suse/9/filp_open" target="_blank" rel="noreferrer noopener">filp_open</a>. This kernel function returns a pointer to the structure <a href="https://github.com/torvalds/linux/blob/master/include/linux/fs.h#L956" target="_blank" rel="noreferrer noopener">file</a>, which contains a <code>file_operations</code> structure called <a href="https://github.com/torvalds/linux/blob/master/include/linux/fs.h#L939" target="_blank" rel="noreferrer noopener">f_op</a> that finally stores the <a href="https://man7.org/linux/man-pages/man3/readdir.3.html" target="_blank" rel="noreferrer noopener">readdir</a> function hooked via <code>hk_root_readdir</code>.</p>



<p>Of course, this feature is not new at all. You can check the source code of <code>Adore-Ng</code> and see <a href="https://github.com/yaoyumeng/adore-ng/blob/master/adore-ng.c#L300" target="_blank" rel="noreferrer noopener">how it is implemented</a> on your own.</p>



<h2>Understanding the process hiding mechanism</h2>



<p>In the following screenshot, you can see that the <code>Syslogk</code> rootkit (code at the right margin of the screenshot) is prepared for hiding a process called <code>PgSD93ql</code>. Therefore, the rootkit seems more straightforward than the original version (see Adore-Ng at the left margin of the screenshot). Furthermore, the process to hide can be selected after authenticating with the rootkit.</p>


<div class="wp-block-image">
<figure class="aligncenter size-large"><a href="https://decoded.avast.io/wp-content/uploads/sites/2/2022/06/image10.png"><img loading="lazy" width="1024" height="524" src="https://decoded.avast.io/wp-content/uploads/sites/2/2022/06/image10-1024x524.png" alt="" class="wp-image-6025" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2022/06/image10-1024x524.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2022/06/image10-300x154.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2022/06/image10-768x393.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2022/06/image10-1536x786.png 1536w, https://decoded.avast.io/wp-content/uploads/sites/2/2022/06/image10.png 1920w" sizes="(max-width: 1024px) 100vw, 1024px" /></a></figure></div>


<p>The <code>Syslogk</code> rootkit function <code>hk_getpr</code> explained above, is a mix of <a href="https://github.com/yaoyumeng/adore-ng/blob/master/adore-ng.c#L178" target="_blank" rel="noreferrer noopener">adore_find_task</a> and <a href="https://github.com/yaoyumeng/adore-ng/blob/master/adore-ng.c#L193" target="_blank" rel="noreferrer noopener">should_be_hidden</a> functions but it uses the same mechanism for hiding processes.</p>



<h2>Understanding the network traffic hiding mechanism</h2>



<p>The <code>Adore-Ng</code> rootkit allows hiding a given set of listening services from Linux programs like <code>Netstat</code>. It uses the exported <a href="https://github.com/yaoyumeng/adore-ng/blob/522c80a2dc043c2d523256472becc88c90d66337/adore-ng.c#L662" target="_blank" rel="noreferrer noopener">proc_net</a> structure to <a href="https://github.com/yaoyumeng/adore-ng/blob/522c80a2dc043c2d523256472becc88c90d66337/adore-ng.c#L835" target="_blank" rel="noreferrer noopener">change</a> the <a href="https://github.com/torvalds/linux/blob/master/net/ipv4/tcp_ipv4.c#L2695" target="_blank" rel="noreferrer noopener">tcp4_seq_show( )</a> handler, which is invoked by the kernel when <code>Netstat</code> queries for listening connections. Within the <a href="https://github.com/yaoyumeng/adore-ng/blob/master/adore-ng.c#L688" target="_blank" rel="noreferrer noopener">adore_tcp4_seq_show()</a> function, <a href="https://github.com/yaoyumeng/adore-ng/blob/master/adore-ng.c#L697" target="_blank" rel="noreferrer noopener">strnstr( )</a> is used to look in <code>seq-&gt;buf</code> for a substring that contains the hexadecimal representation of the port it is trying to hide. If this is found, the string is deleted.</p>


<div class="wp-block-image">
<figure class="aligncenter size-large"><a href="https://decoded.avast.io/wp-content/uploads/sites/2/2022/06/image6.png"><img loading="lazy" width="1024" height="550" src="https://decoded.avast.io/wp-content/uploads/sites/2/2022/06/image6-1024x550.png" alt="" class="wp-image-6026" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2022/06/image6-1024x550.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2022/06/image6-300x161.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2022/06/image6-768x413.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2022/06/image6-1536x826.png 1536w, https://decoded.avast.io/wp-content/uploads/sites/2/2022/06/image6.png 1944w" sizes="(max-width: 1024px) 100vw, 1024px" /></a></figure></div>


<p>In this way, the backdoor will not appear when listing the connections in an infected machine. The following section describes other interesting capabilities of this rootkit.</p>



<h2>Understanding the magic packets</h2>



<p>Instead of continuously running the payload, it is remotely started or stopped on demand by sending specially crafted network traffic packets.</p>



<p>These are known as <code>magic packets</code> because they have a special format and special powers. In this implementation, an attacker can trigger actions without having a listening port in the infected machine such that the commands are, in some way, &#8216;magically&#8217; executed in the system.</p>



<h3>Starting the Rekoobe payload</h3>



<p>The <code>magic packet</code> inspected by the <code>Syslogk</code><em> </em>rootkit for starting the <code>Rekoobe</code> fake SMTP server is straightforward. First, it checks whether the packet is a TCP packet and, in that case, it also checks the <code>source port</code>, which is expected to be <code>59318</code>.</p>



<p><code>Rekobee</code> will be executed by the rootkit if the magic packet fits the mentioned criteria.</p>


<div class="wp-block-image">
<figure class="aligncenter size-full"><a href="https://decoded.avast.io/wp-content/uploads/sites/2/2022/06/image4.png"><img loading="lazy" width="817" height="569" src="https://decoded.avast.io/wp-content/uploads/sites/2/2022/06/image4.png" alt="" class="wp-image-6030" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2022/06/image4.png 817w, https://decoded.avast.io/wp-content/uploads/sites/2/2022/06/image4-300x209.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2022/06/image4-768x535.png 768w" sizes="(max-width: 817px) 100vw, 817px" /></a></figure></div>


<p>Of course, before executing the fake service, the rootkit terminates all existing instances of the program by calling the rootkit function <code>pkill_clone_0</code>. This function contains the hardcoded process name <code>PgSD93ql</code><em>;</em>&nbsp; it only kills the <code>Rekoobe</code> process by sending the <code>KILL</code> signal via <a href="https://docs.huihoo.com/doxygen/linux/kernel/3.7/kernel_2signal_8c_source.html#l01490" target="_blank" rel="noreferrer noopener">send_sig</a>.</p>



<p>To execute the command that starts the <code>Rekoobe</code> fake service in user mode, the rootkit executes the following command by combining the kernel APIs: <a href="https://www.kernel.org/doc/htmldocs/kernel-api/API-call-usermodehelper-setup.html" target="_blank" rel="noreferrer noopener">call_usermodehelper_setup</a>, <a href="http://www.hep.by/gnu/kernel/kernel-api/API-call-usermodehelper-setfns.html" target="_blank" rel="noreferrer noopener">call_usermodehelper_setfns</a>, and <a href="https://www.kernel.org/doc/htmldocs/kernel-api/API-call-usermodehelper-exec.html" target="_blank" rel="noreferrer noopener">call_usermodehelper_exec</a>.</p>



<figure class="wp-block-table aligncenter"><table><tbody><tr><td><code>/bin/sh -c /etc/rc-Zobk0jpi/PgSD93ql</code></td></tr></tbody></table></figure>



<p>The <a href="#files">Files section</a> of this post demonstrates how to manually craft (using Python) the TCP <code>magic packet</code> for starting the <code>Rekoobe</code> payload.</p>



<p>In the next section we describe a more complex form of the <code>magic packet</code>.</p>



<h3>Stopping the Rekoobe payload</h3>



<p>Since the attacker doesn&#8217;t want any other person in the network to be able to kill <code>Rekoobe</code>, the <code>magic packet</code> for killing <code>Rekoobe</code> must match some fields in the previous <code>magic packet</code> used for starting <code>Rekoobe</code>. Additionally, the packet must satisfy additional requirements &#8211; it must contain a key that is hardcoded in the rootkit and located in a variable offset of the <code>magic packet</code><em>. </em>The conditions that are checked:</p>



<ol><li>It checks a flag enabled when the rootkit executes <code>Rekoobe</code> via <code>magic packets</code>. It will only continue if the flag is enabled.</li><li>It checks the <code>Reserved</code> field of the TCP header to see that it is <code>0x08</code>.</li><li>The <code>Source Port</code> must be between <code>63400</code> and <code>63411</code> inclusive.</li><li>Both the <code>Destination Port</code> and the <code>Source Address</code>, must to be the same that were used when sending the <code>magic packet</code> for starting <code>Rekoobe</code>.</li><li>Finally, it looks for the <code>hardcoded key</code>. In this case, it is: <code>D9sd87JMaij</code></li></ol>



<p>The offset of the hardcoded key is also set in the packet and not in a hardcoded offset; it is calculated instead. To be more precise, it is set in the <code>data offset</code> byte (TCP header) such that after shifting the byte <code>4 bits</code> to the right and multiplying it by <code>4</code>, it points to the offset of where the <code>Key</code> is expected to be (as shown in the following screenshot, notice that the rootkit compares the <code>Key</code> in reverse order).</p>


<div class="wp-block-image">
<figure class="aligncenter size-full"><a href="https://decoded.avast.io/wp-content/uploads/sites/2/2022/06/image12.png"><img loading="lazy" width="369" height="154" src="https://decoded.avast.io/wp-content/uploads/sites/2/2022/06/image12.png" alt="" class="wp-image-6032" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2022/06/image12.png 369w, https://decoded.avast.io/wp-content/uploads/sites/2/2022/06/image12-300x125.png 300w" sizes="(max-width: 369px) 100vw, 369px" /></a></figure></div>


<p>In our experiments, we used the value <code>0x50</code> for the <code>data offset</code> (TCP header) because after shifting it 4 bits, you get 5 which multiplied by 4 is equal to <code>20</code>. Since 20 is precisely the size of the TCP Header, by using this value, we were able to put the key at the start of the data section of the packet.</p>



<p>If you are curious about how we implemented this <code>magic packet</code> from scratch, then please see the <a href="#files">Files section</a> of this blog post.</p>



<h1>Analyzing Rekoobe</h1>



<p>When the infected machine receives the appropriate <code>magic packet</code>, the rootkit starts the hidden <code>Rekoobe</code> malware in user mode space.</p>



<p>It looks like an innocent SMTP server, but there is a backdoor command on it that can be executed when handling the <code>starttls</code> command. In a legitimate service, this command is sent by the client to the server to advise that it wants to start TLS negotiation.</p>


<div class="wp-block-image">
<figure class="aligncenter size-large"><a href="https://decoded.avast.io/wp-content/uploads/sites/2/2022/06/image9.png"><img loading="lazy" width="1024" height="290" src="https://decoded.avast.io/wp-content/uploads/sites/2/2022/06/image9-1024x290.png" alt="" class="wp-image-6033" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2022/06/image9-1024x290.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2022/06/image9-300x85.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2022/06/image9-768x218.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2022/06/image9.png 1094w" sizes="(max-width: 1024px) 100vw, 1024px" /></a></figure></div>


<p>For triggering the <code>Rekoobe</code> backdoor command (spawning a shell), the attacker must send the byte <code>0x03</code> via TLS, followed by a <code>Tag Length Value</code> (TLV) encoded data. Here, the tag is the symbol <code>%</code>, the length is specified in four numeric characters, and the value (notice that the length and value are arbitrary but can not be zero).</p>


<div class="wp-block-image">
<figure class="aligncenter size-large"><a href="https://decoded.avast.io/wp-content/uploads/sites/2/2022/06/image5.png"><img loading="lazy" width="1024" height="485" src="https://decoded.avast.io/wp-content/uploads/sites/2/2022/06/image5-1024x485.png" alt="" class="wp-image-6035" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2022/06/image5-1024x485.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2022/06/image5-300x142.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2022/06/image5-768x364.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2022/06/image5-1536x727.png 1536w, https://decoded.avast.io/wp-content/uploads/sites/2/2022/06/image5.png 1914w" sizes="(max-width: 1024px) 100vw, 1024px" /></a></figure></div>


<p>Additionally, to establish the TLS connection, you will need the certificate embedded in <code>Rekoobe</code>. </p>



<p>See the <a href="#files">Files section</a> below for the certificate and a Python script we developed to connect with <code>Rekoobe</code>.</p>



<h1>The origin of Rekoobe payload and Syslogk rootkit</h1>



<p><code>Rekoobe</code> is clearly based on the <a href="https://github.com/creaktive/tsh/blob/master/tshd.c#L693" target="_blank" rel="noreferrer noopener">TinySHell</a> open source project; this is based on ordering observed in character and variables assignment taking place in the same order multiple times.</p>


<div class="wp-block-image">
<figure class="aligncenter size-full"><a href="https://decoded.avast.io/wp-content/uploads/sites/2/2022/06/image7.png"><img loading="lazy" width="747" height="249" src="https://decoded.avast.io/wp-content/uploads/sites/2/2022/06/image7.png" alt="" class="wp-image-6036" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2022/06/image7.png 747w, https://decoded.avast.io/wp-content/uploads/sites/2/2022/06/image7-300x100.png 300w" sizes="(max-width: 747px) 100vw, 747px" /></a></figure></div>


<p class="has-text-align-left">On the other hand, if you take a look at the <code>Syslogk</code> rootkit, even if it is new, you will notice that there are also references to <code>TinySHell</code> dating back to December 13, 2018.</p>


<div class="wp-block-image">
<figure class="aligncenter size-full"><a href="https://decoded.avast.io/wp-content/uploads/sites/2/2022/06/image2.png"><img loading="lazy" width="537" height="129" src="https://decoded.avast.io/wp-content/uploads/sites/2/2022/06/image2.png" alt="" class="wp-image-6037" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2022/06/image2.png 537w, https://decoded.avast.io/wp-content/uploads/sites/2/2022/06/image2-300x72.png 300w" sizes="(max-width: 537px) 100vw, 537px" /></a></figure></div>


<p>The evidence suggests that the threat actor developed <code>Rekoobe</code> and <code>Syslogk</code> to run them&nbsp; together. We are pleased to say that our users are protected and hope that this research assists others.</p>



<h1>Conclusions</h1>



<p>One of the architectural advantages of security software is that it usually has components running in different privilege levels; malware running on less-privileged levels cannot easily interfere with processes running on higher privilege levels, thus allowing more straightforward dealing with malware.</p>



<p>On the other hand, kernel rootkits can be hard to detect and remove because these pieces of malware run in a privileged layer. This is why it is essential for system administrators and security companies to be aware of this kind of malware and write protections for their users as soon as possible.</p>



<h1>IoCs</h1>



<h2>Syslogk sample</h2>



<ul><li><code>68facac60ee0ade1aa8f8f2024787244c2584a1a03d10cda83eeaf1258b371f2</code></li></ul>



<h2>Rekoobe sample</h2>



<ul><li><code>11edf80f2918da818f3862246206b569d5dcebdc2a7ed791663ca3254ede772d</code></li></ul>



<h2>Other Rekoobe samples</h2>



<ul><li><code>fa94282e34901eba45720c4f89a0c820d32840ae49e53de8e75b2d6e78326074</code></li><li><code>fd92e34675e5b0b8bfbc6b1f3a00a7652e67a162f1ea612f6e86cca846df76c5</code></li><li><code>12c1b1e48effe60eef7486b3ae3e458da403cd04c88c88fab7fca84d849ee3f5</code></li><li><code>06778bddd457aafbc93d384f96ead3eb8476dc1bc8a6fbd0cd7a4d3337ddce1e</code></li><li><code>f1a592208723a66fa51ce1bc35cbd6864e24011c6dc3bcd056346428e4e1c55d</code></li><li><code>55dbdb84c40d9dc8c5aaf83226ca00a3395292cc8f884bdc523a44c2fd431c7b</code></li><li><code>df90558a84cfcf80639f32b31aec187b813df556e3c155a05af91dedfd2d7429</code></li><li><code>160cfb90b81f369f5ba929aba0b3130cb38d3c90d629fe91b31fdef176752421</code></li><li><code>b4d0f0d652f907e4e77a9453dcce7810b75e1dc5867deb69bea1e4ecdd02d877</code></li><li><code>3a6f339df95e138a436a4feff64df312975a262fa16b75117521b7d6e7115d65</code></li><li><code>74699b0964a2cbdc2bc2d9ca0b2b6f5828b638de7c73b1d41e7fe26cfc2f3441</code></li><li><code>7a599ff4a58cb0672a1b5e912a57fcdc4b0e2445ec9bc653f7f3e7a7d1dc627f</code></li><li><code>f4e3cfeeb4e10f61049a88527321af8c77d95349caf616e86d7ff4f5ba203e5f</code></li><li><code>31330c0409337592e9de7ac981cecb7f37ce0235f96e459fefbd585e35c11a1a</code></li><li><code>c6d735b7a4656a52f3cd1d24265e4f2a91652f1a775877129b322114c9547deb</code></li><li><code>2e81517ee4172c43a2084be1d584841704b3f602cafc2365de3bcb3d899e4fb8</code></li><li><code>b22f55e476209adb43929077be83481ebda7e804d117d77266b186665e4b1845</code></li><li><code>a93b9333a203e7eed197d0603e78413013bd5d8132109bbef5ef93b36b83957c</code></li><li><code>870d6c202fcc72088ff5d8e71cc0990777a7621851df10ba74d0e07d19174887</code></li><li><code>ca2ee3f30e1c997cc9d8e8f13ec94134cdb378c4eb03232f5ed1df74c0a0a1f0</code></li><li><code>9d2e25ec0208a55fba97ac70b23d3d3753e9b906b4546d1b14d8c92f8d8eb03d</code></li><li><code>29058d4cee84565335eafdf2d4a239afc0a73f1b89d3c2149346a4c6f10f3962</code></li><li><code>7e0b340815351dab035b28b16ca66a2c1c7eaf22edf9ead73d2276fe7d92bab4</code></li><li><code>af9a19f99e0dcd82a31e0c8fc68e89d104ef2039b7288a203f6d2e4f63ae4d5c</code></li><li><code>6f27de574ad79eb24d93beb00e29496d8cfe22529fc8ee5010a820f3865336a9</code></li><li><code>d690d471b513c5d40caef9f1e37c94db20e6492b34ea6a3cddcc22058f842cf3</code></li><li><code>e08e241d6823efedf81d141cc8fd5587e13df08aeda9e1793f754871521da226</code></li><li><code>da641f86f81f6333f2730795de93ad2a25ab279a527b8b9e9122b934a730ab08</code></li><li><code>e3d64a128e9267640f8fc3e6ba5399f75f6f0aca6a8db48bf989fe67a7ee1a71</code></li><li><code>d3e2e002574fb810ac5e456f122c30f232c5899534019d28e0e6822e426ed9d3</code></li><li><code>7b88fa41d6a03aeda120627d3363b739a30fe00008ce8d848c2cbb5b4473d8bc</code></li><li><code>50b73742726b0b7e00856e288e758412c74371ea2f0eaf75b957d73dfb396fd7</code></li><li><code>8b036e5e96ab980df3dca44390d6f447d4ca662a7eddac9f52d172efff4c58f8</code></li><li><code>8b18c1336770fcddc6fe78d9220386bce565f98cc8ada5a90ce69ce3ddf36043</code></li><li><code>f04dc3c62b305cdb4d83d8df2caa2d37feeb0a86fb5a745df416bac62a3b9731</code></li><li><code>72f200e3444bb4e81e58112111482e8175610dc45c6e0c6dcd1d2251bacf7897</code></li><li><code>d129481955f24430247d6cc4af975e4571b5af7c16e36814371575be07e72299</code></li><li><code>6fc03c92dee363dd88e50e89062dd8a22fe88998aff7de723594ec916c348d0a</code></li><li><code>fca2ea3e471a0d612ce50abc8738085f076ad022f70f78c3f8c83d1b2ff7896b</code></li><li><code>2fea3bc88c8142fa299a4ad9169f8879fc76726c71e4b3e06a04d568086d3470</code></li><li><code>178b23e7eded2a671fa396dd0bac5d790bca77ec4b2cf4b464d76509ed12c51a</code></li><li><code>3bff2c5bfc24fc99d925126ec6beb95d395a85bc736a395aaf4719c301cbbfd4</code></li><li><code>14a33415e95d104cf5cf1acaff9586f78f7ec3ffb26efd0683c468edeaf98fd7</code></li><li><code>8bb7842991afe86b97def19f226cb7e0a9f9527a75981f5e24a70444a7299809</code></li><li><code>020a6b7edcff7764f2aac1860142775edef1bc057bedd49b575477105267fc67</code></li><li><code>6711d5d42b54e2d261bb48aa7997fa9191aec059fd081c6f6e496d8db17a372a</code></li><li><code>48671bc6dbc786940ede3a83cc18c2d124d595a47fb20bc40d47ec9d5e8b85dc</code></li><li><code>b0d69e260a44054999baa348748cf4b2d1eaab3dd3385bb6ad5931ff47a920de</code></li><li><code>e1999a3e5a611312e16bb65bb5a880dfedbab8d4d2c0a5d3ed1ed926a3f63e94</code></li><li><code>fa0ea232ab160a652fcbd8d6db8ffa09fd64bcb3228f000434d6a8e340aaf4cb</code></li><li><code>11edf80f2918da818f3862246206b569d5dcebdc2a7ed791663ca3254ede772d</code></li><li><code>73bbabc65f884f89653a156e432788b5541a169036d364c2d769f6053960351f</code></li><li><code>8ec87dee13de3281d55f7d1d3b48115a0f5e4a41bfbef1ea08e496ac529829c8</code></li><li><code>8285ee3115e8c71c24ca3bdce313d3cfadead283c31a116180d4c2611efb610d</code></li><li><code>958bce41371b68706feae0f929a18fa84d4a8a199262c2110a7c1c12d2b1dce2</code></li><li><code>38f357c32f2c5a5e56ea40592e339bac3b0cabd6a903072b9d35093a2ed1cb75</code></li><li><code>bcc3d47940ae280c63b229d21c50d25128b2a15ea42fe8572026f88f32ed0628</code></li><li><code>08a1273ac9d6476e9a9b356b261fdc17352401065e2fc2ad3739e3f82e68705a</code></li><li><code>cf525918cb648c81543d9603ac75bc63332627d0ec070c355a86e3595986cbb3</code></li><li><code>42bc744b22173ff12477e57f85fa58450933e1c4294023334b54373f6f63ee42</code></li><li><code>337674d6349c21d3c66a4245c82cb454fea1c4e9c9d6e3578634804793e3a6d6</code></li><li><code>4effa5035fe6bbafd283ffae544a5e4353eb568770421738b4b0bb835dad573b</code></li><li><code>5b8059ea30c8665d2c36da024a170b31689c4671374b5b9b1a93c7ca47477448</code></li><li><code>bd07a4ccc8fa67e2e80b9c308dec140ca1ae9c027fa03f2828e4b5bdba6c7391</code></li><li><code>bf09a1a7896e05b18c033d2d62f70ea4cac85e2d72dbd8869e12b61571c0327e</code></li><li><code>79916343b93a5a7ac7b7133a26b77b8d7d0471b3204eae78a8e8091bfe19dc8c</code></li><li><code>c32e559568d2f6960bc41ca0560ac8f459947e170339811804011802d2f87d69</code></li><li><code>864c261555fce40d022a68d0b0eadb7ab69da6af52af081fd1d9e3eced4aee46</code></li><li><code>275d63587f3ac511d7cca5ff85af2914e74d8b68edd5a7a8a1609426d5b7f6a9</code></li><li><code>031183e9450ad8283486621c4cdc556e1025127971c15053a3bf202c132fe8f9</code></li></ul>



<h1 id="files">Files</h1>



<h2>Syslogk research tools</h2>



<ul><li><a href="https://github.com/avast/ioc/blob/master/SyslogkRootkit/Research%20Tools/unhide_rootkit.c">unhide_rootkit.c</a></li><li><a href="https://github.com/avast/ioc/blob/master/SyslogkRootkit/Research%20Tools/magic_packet_start_rekoobe.py" target="_blank" rel="noreferrer noopener">magic_packet_start_rekoobe.py</a></li><li><a href="https://github.com/avast/ioc/blob/master/SyslogkRootkit/Research%20Tools/magic_packet_kill_rekoobe.py" target="_blank" rel="noreferrer noopener">magic_packet_kill_rekoobe.py</a></li><li><a href="https://github.com/avast/ioc/blob/master/SyslogkRootkit/Research%20Tools/remove_syslogk_from_memory.sh" target="_blank" rel="noreferrer noopener">remove_syslogk_from_memory.sh</a></li></ul>



<h2>Rekoobe research tool</h2>



<ul><li><a href="https://github.com/avast/ioc/blob/master/SyslogkRootkit/Research%20Tools/rekoobe_backdoor_client.py" target="_blank" rel="noreferrer noopener">rekoobe_backdoor_client.py</a></li><li><a href="https://github.com/avast/ioc/blob/master/SyslogkRootkit/Research%20Tools/cert.pem" target="_blank" rel="noreferrer noopener">cert.pem</a></li></ul>



<h1>IoC repository</h1>



<p>The Syslogk and Rekoobe rootkit research tools and IoCs are in our <a href="https://github.com/avast/ioc/tree/master/SyslogkRootkit" target="_blank" rel="noreferrer noopener">IoC repository</a>.</p>
                                            </div>

                </article>

                                    <div class="entry-tags clearfix">
                        <span>Tagged as</span><a href="https://decoded.avast.io/tag/analysis/" rel="tag">analysis</a>, <a href="https://decoded.avast.io/tag/linux/" rel="tag">linux</a>, <a href="https://decoded.avast.io/tag/malware/" rel="tag">malware</a>, <a href="https://decoded.avast.io/tag/rootkit/" rel="tag">rootkit</a>                    </div>
                
                                     
		<div class="meks_ess no-labels"><span class="johannes-share-label">Share:</span><a href="#" onclick="return false;" class="meks_ess-item socicon-twitter" data-url="http://twitter.com/intent/tweet?url=https%3A%2F%2Fdecoded.avast.io%2Fdavidalvarez%2Flinux-threat-hunting-syslogk-a-kernel-rootkit-found-under-development-in-the-wild%2F&amp;text=Linux%20Threat%20Hunting%3A%20%E2%80%98Syslogk%E2%80%99%20a%20kernel%20rootkit%20found%20under%20development%20in%20the%20wild"><span>Twitter</span></a><a href="#" onclick="return false;" class="meks_ess-item socicon-facebook" data-url="http://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fdecoded.avast.io%2Fdavidalvarez%2Flinux-threat-hunting-syslogk-a-kernel-rootkit-found-under-development-in-the-wild%2F&amp;t=Linux%20Threat%20Hunting%3A%20%E2%80%98Syslogk%E2%80%99%20a%20kernel%20rootkit%20found%20under%20development%20in%20the%20wild"><span>Facebook</span></a></div>                
                               
		        

            </div>

            
        </div>
    </div>
</div>

        <div class="johannes-section johannes-related section-margin johannes-bg-alt-2">
        <div class="container">
            <div class="section-head">
                <h5 class="section-title h2">Further reading</h5>
            </div>
            <div class="section-content row justify-content-center">
                <div class="col-12 ">
                    <div class="row johannes-items johannes-posts">
                                                                        <div class="col-12 col-md-6">
                            
<article class="johannes-post johannes-layout-c category-pill post-6151 post type-post status-publish format-standard has-post-thumbnail hentry category-pc tag-candiru tag-cve-2022-2294 tag-exploit tag-google-chrome tag-zero-day">
    	    <div class="entry-media">
	        <a href="https://decoded.avast.io/janvojtesek/the-return-of-candiru-zero-days-in-the-middle-east/"><img width="1" height="1" src="https://decoded.avast.io/wp-content/uploads/sites/2/2022/07/GettyImages-823196342_edited_dark.jpg" class="attachment-johannes-c size-johannes-c wp-post-image" alt="" loading="lazy" /></a>
	    </div>
        <div class="entry-header">
    	        	        <div class="entry-category">
	            <a href="https://decoded.avast.io/category/pc/" rel="tag" class="cat-item cat-21">PC</a>	        </div>
                <h2 class="entry-title h3"><a href="https://decoded.avast.io/janvojtesek/the-return-of-candiru-zero-days-in-the-middle-east/">The Return of Candiru: Zero-days in the Middle East</a></h2>        	        <div class="entry-meta">
	            <span class="meta-item meta-rtime">6 min read</span>	        </div>
            </div>
    	    <div class="entry-content">
	        <p>We recently discovered a zero-day vulnerability in Google Chrome (CVE-2022-2294) when it was exploited in the wild in an attempt to attack Avast users in the Middle East. The vulnerability was a memory corruption in WebRTC that was abused to achieve...</p>
	    </div>
        </article>                        </div>
                                                                        <div class="col-12 col-md-6">
                            
<article class="johannes-post johannes-layout-c category-pill post-6106 post type-post status-publish format-standard has-post-thumbnail hentry category-pc tag-analysis tag-golang tag-malware">
    	    <div class="entry-media">
	        <a href="https://decoded.avast.io/davidalvarez/go-malware-on-the-rise/"><img width="540" height="304" src="https://decoded.avast.io/wp-content/uploads/sites/2/2022/06/GettyImages-1345812496-540x304.jpg" class="attachment-johannes-c size-johannes-c wp-post-image" alt="" loading="lazy" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2022/06/GettyImages-1345812496-540x304.jpg 540w, https://decoded.avast.io/wp-content/uploads/sites/2/2022/06/GettyImages-1345812496-300x169.jpg 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2022/06/GettyImages-1345812496-1024x576.jpg 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2022/06/GettyImages-1345812496-768x432.jpg 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2022/06/GettyImages-1345812496-1536x864.jpg 1536w, https://decoded.avast.io/wp-content/uploads/sites/2/2022/06/GettyImages-1345812496-2048x1152.jpg 2048w, https://decoded.avast.io/wp-content/uploads/sites/2/2022/06/GettyImages-1345812496-344x194.jpg 344w, https://decoded.avast.io/wp-content/uploads/sites/2/2022/06/GettyImages-1345812496-1128x635.jpg 1128w" sizes="(max-width: 540px) 100vw, 540px" /></a>
	    </div>
        <div class="entry-header">
    	        	        <div class="entry-category">
	            <a href="https://decoded.avast.io/category/pc/" rel="tag" class="cat-item cat-21">PC</a>	        </div>
                <h2 class="entry-title h3"><a href="https://decoded.avast.io/davidalvarez/go-malware-on-the-rise/">Go malware on the rise</a></h2>        	        <div class="entry-meta">
	            <span class="meta-item meta-rtime">10 min read</span>	        </div>
            </div>
    	    <div class="entry-content">
	        <p>Introduction The Go programming language is becoming more and more popular. One of the reasons being that Go programs can be compiled for multiple operating systems and architectures in a single binary self containing all needed dependencies. Based...</p>
	    </div>
        </article>                        </div>
                                            </div>
                </div>
            </div>
        </div>
    </div>
    

    
    
    <footer id="johannes-footer" class="johannes-footer">
        <div class="container">

                            <div class="footer-divider"></div>
                
	<div class="row johannes-footer-widgets justify-content-center">
	    	        	    	        	    	        	    	        	    	</div>
            
                            <div class="johannes-copyright">
                    <p>2022 Copyright © Avast Software s.r.o.</p>
                </div>
                    </div>
    </footer>

            <div class="pswp" tabindex="-1" role="dialog" aria-hidden="true">
    <div class="pswp__bg"></div>
    <div class="pswp__scroll-wrap">
        <div class="pswp__container">
            <div class="pswp__item"></div>
            <div class="pswp__item"></div>
            <div class="pswp__item"></div>
        </div>
        <div class="pswp__ui pswp__ui--hidden">
            <div class="pswp__top-bar">
                <div class="pswp__counter"></div>
                <button class="pswp__button pswp__button--close" title="Close (Esc)"></button>
                <button class="pswp__button pswp__button--fs" title="Toggle fullscreen"></button>
                <button class="pswp__button pswp__button--zoom" title="Zoom in/out"></button>
                <div class="pswp__preloader">
                    <div class="pswp__preloader__icn">
                        <div class="pswp__preloader__cut">
                            <div class="pswp__preloader__donut"></div>
                        </div>
                    </div>
                </div>
            </div>
            <div class="pswp__share-modal pswp__share-modal--hidden pswp__single-tap">
                <div class="pswp__share-tooltip"></div>
            </div>
            <button class="pswp__button pswp__button--arrow--left" title="Previous (arrow left)">
            </button>
            <button class="pswp__button pswp__button--arrow--right" title="Next (arrow right)">
            </button>
            <div class="pswp__caption">
                <div class="pswp__caption__center"></div>
            </div>
        </div>
    </div>
</div>    

</div>


    <a href="javascript:void(0)" id="johannes-goto-top" class="johannes-goto-top"><i class="jf jf-chevron-up"></i></a>

<div class="johannes-action-overlay">

</div><div class="johannes-sidebar johannes-sidebar-hidden">

	<div class="johannes-sidebar-branding">
	    <span class="site-title h1 "><a href="https://decoded.avast.io/" rel="home"><picture class="johannes-logo"><source media="(min-width: 1050px)" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2019/06/Asset-22ldpi.png"><source srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2019/06/Asset-22ldpi.png"><img src="https://decoded.avast.io/wp-content/uploads/sites/2/2019/06/Asset-22ldpi.png" alt="Avast Threat Labs"></picture></a></span>	    <span class="johannes-action-close"><i class="jf jf-close" aria-hidden="true"></i></span>
	</div>	

		<div class="johannes-menu-mobile widget d-md-block d-lg-none">
		<div class="widget-inside johannes-bg-alt-2">
		<h4 class="widget-title">Menu</h4>
			    <nav class="menu-main-menu-container"><ul id="menu-main-menu-1" class="johannes-menu johannes-menu-primary"><li class="menu-item menu-item-type-taxonomy menu-item-object-category menu-item-367"><a href="https://decoded.avast.io/category/mobile/">Mobile</a></li>
<li class="menu-item menu-item-type-taxonomy menu-item-object-category menu-item-368"><a href="https://decoded.avast.io/category/network/">Network</a></li>
<li class="menu-item menu-item-type-taxonomy menu-item-object-category current-post-ancestor current-menu-parent current-post-parent menu-item-369"><a href="https://decoded.avast.io/category/pc/">PC</a></li>
<li class="menu-item menu-item-type-taxonomy menu-item-object-category menu-item-370"><a href="https://decoded.avast.io/category/iot/">IoT</a></li>
<li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-371"><a href="https://www.avast.com/en-us/careers">Careers</a></li>
</ul></nav>			                                    <form class="avast-search" action="https://decoded.avast.io/" method="get">
	<input name="s" type="test" value="" placeholder="Type here to search...">
	<button type="submit"><i class="cu-search"></i></button>
</form>                            		</div>
	</div>

		    <div id="categories-2" class="widget widget_categories"><div class="widget-inside johannes-bg-alt-2"><h4 class="widget-title">Categories</h4>
			<ul>
					<li class="cat-item cat-item-32"><a href="https://decoded.avast.io/category/events/">Events</a>
</li>
	<li class="cat-item cat-item-23"><a href="https://decoded.avast.io/category/iot/" title="Threats targetting the Internet of things devices">IoT</a>
</li>
	<li class="cat-item cat-item-22"><a href="https://decoded.avast.io/category/mobile/" title="Threats targetting mobile phones">Mobile</a>
</li>
	<li class="cat-item cat-item-20"><a href="https://decoded.avast.io/category/network/" title="Platform agnostic threats like social engineering, phishing, fake stores..">Network</a>
</li>
	<li class="cat-item cat-item-21"><a href="https://decoded.avast.io/category/pc/" title="Threats targetting PCs and Macs">PC</a>
</li>
	<li class="cat-item cat-item-1"><a href="https://decoded.avast.io/category/uncategorized/">Uncategorized</a>
</li>
			</ul>

			</div></div><div id="tag_cloud-2" class="widget widget_tag_cloud"><div class="widget-inside johannes-bg-alt-2"><h4 class="widget-title">Tags</h4><div class="tagcloud"><a href="https://decoded.avast.io/tag/analysis/" class="tag-cloud-link tag-link-5 tag-link-position-1" style="font-size: 21.5pt;" aria-label="analysis (35 items)">analysis</a>
<a href="https://decoded.avast.io/tag/android/" class="tag-cloud-link tag-link-6 tag-link-position-2" style="font-size: 12.625pt;" aria-label="Android (6 items)">Android</a>
<a href="https://decoded.avast.io/tag/apt/" class="tag-cloud-link tag-link-63 tag-link-position-3" style="font-size: 10.75pt;" aria-label="APT (4 items)">APT</a>
<a href="https://decoded.avast.io/tag/backdoor/" class="tag-cloud-link tag-link-65 tag-link-position-4" style="font-size: 14.5pt;" aria-label="backdoor (9 items)">backdoor</a>
<a href="https://decoded.avast.io/tag/brazil/" class="tag-cloud-link tag-link-38 tag-link-position-5" style="font-size: 8pt;" aria-label="brazil (2 items)">brazil</a>
<a href="https://decoded.avast.io/tag/crypter/" class="tag-cloud-link tag-link-79 tag-link-position-6" style="font-size: 8pt;" aria-label="crypter (2 items)">crypter</a>
<a href="https://decoded.avast.io/tag/cryptocurrency/" class="tag-cloud-link tag-link-105 tag-link-position-7" style="font-size: 9.5pt;" aria-label="cryptocurrency (3 items)">cryptocurrency</a>
<a href="https://decoded.avast.io/tag/cryptomining/" class="tag-cloud-link tag-link-9 tag-link-position-8" style="font-size: 14.5pt;" aria-label="cryptomining (9 items)">cryptomining</a>
<a href="https://decoded.avast.io/tag/csrf/" class="tag-cloud-link tag-link-26 tag-link-position-9" style="font-size: 9.5pt;" aria-label="csrf (3 items)">csrf</a>
<a href="https://decoded.avast.io/tag/cve/" class="tag-cloud-link tag-link-73 tag-link-position-10" style="font-size: 8pt;" aria-label="cve (2 items)">cve</a>
<a href="https://decoded.avast.io/tag/decryptors/" class="tag-cloud-link tag-link-134 tag-link-position-11" style="font-size: 11.75pt;" aria-label="decryptors (5 items)">decryptors</a>
<a href="https://decoded.avast.io/tag/desktop/" class="tag-cloud-link tag-link-139 tag-link-position-12" style="font-size: 10.75pt;" aria-label="desktop (4 items)">desktop</a>
<a href="https://decoded.avast.io/tag/dirtymoe/" class="tag-cloud-link tag-link-117 tag-link-position-13" style="font-size: 11.75pt;" aria-label="DirtyMoe (5 items)">DirtyMoe</a>
<a href="https://decoded.avast.io/tag/dns-hijack/" class="tag-cloud-link tag-link-27 tag-link-position-14" style="font-size: 9.5pt;" aria-label="dns hijack (3 items)">dns hijack</a>
<a href="https://decoded.avast.io/tag/exploit/" class="tag-cloud-link tag-link-28 tag-link-position-15" style="font-size: 11.75pt;" aria-label="exploit (5 items)">exploit</a>
<a href="https://decoded.avast.io/tag/fake-app/" class="tag-cloud-link tag-link-7 tag-link-position-16" style="font-size: 8pt;" aria-label="fake-app (2 items)">fake-app</a>
<a href="https://decoded.avast.io/tag/ghostdns/" class="tag-cloud-link tag-link-29 tag-link-position-17" style="font-size: 9.5pt;" aria-label="ghostdns (3 items)">ghostdns</a>
<a href="https://decoded.avast.io/tag/google-play-store/" class="tag-cloud-link tag-link-40 tag-link-position-18" style="font-size: 8pt;" aria-label="Google Play Store (2 items)">Google Play Store</a>
<a href="https://decoded.avast.io/tag/hidding/" class="tag-cloud-link tag-link-111 tag-link-position-19" style="font-size: 8pt;" aria-label="hidding (2 items)">hidding</a>
<a href="https://decoded.avast.io/tag/hw/" class="tag-cloud-link tag-link-53 tag-link-position-20" style="font-size: 8pt;" aria-label="HW (2 items)">HW</a>
<a href="https://decoded.avast.io/tag/iot/" class="tag-cloud-link tag-link-13 tag-link-position-21" style="font-size: 13.875pt;" aria-label="iot (8 items)">iot</a>
<a href="https://decoded.avast.io/tag/malware/" class="tag-cloud-link tag-link-37 tag-link-position-22" style="font-size: 22pt;" aria-label="malware (39 items)">malware</a>
<a href="https://decoded.avast.io/tag/misconfiguration/" class="tag-cloud-link tag-link-112 tag-link-position-23" style="font-size: 8pt;" aria-label="misconfiguration (2 items)">misconfiguration</a>
<a href="https://decoded.avast.io/tag/mobile/" class="tag-cloud-link tag-link-8 tag-link-position-24" style="font-size: 15pt;" aria-label="mobile (10 items)">mobile</a>
<a href="https://decoded.avast.io/tag/obfuscation/" class="tag-cloud-link tag-link-57 tag-link-position-25" style="font-size: 11.75pt;" aria-label="obfuscation (5 items)">obfuscation</a>
<a href="https://decoded.avast.io/tag/p-code/" class="tag-cloud-link tag-link-110 tag-link-position-26" style="font-size: 11.75pt;" aria-label="P-Code (5 items)">P-Code</a>
<a href="https://decoded.avast.io/tag/passwords/" class="tag-cloud-link tag-link-94 tag-link-position-27" style="font-size: 8pt;" aria-label="passwords (2 items)">passwords</a>
<a href="https://decoded.avast.io/tag/phishing/" class="tag-cloud-link tag-link-31 tag-link-position-28" style="font-size: 10.75pt;" aria-label="phishing (4 items)">phishing</a>
<a href="https://decoded.avast.io/tag/ransomware/" class="tag-cloud-link tag-link-47 tag-link-position-29" style="font-size: 13.25pt;" aria-label="ransomware (7 items)">ransomware</a>
<a href="https://decoded.avast.io/tag/rat/" class="tag-cloud-link tag-link-34 tag-link-position-30" style="font-size: 10.75pt;" aria-label="rat (4 items)">rat</a>
<a href="https://decoded.avast.io/tag/report/" class="tag-cloud-link tag-link-136 tag-link-position-31" style="font-size: 9.5pt;" aria-label="report (3 items)">report</a>
<a href="https://decoded.avast.io/tag/research/" class="tag-cloud-link tag-link-109 tag-link-position-32" style="font-size: 11.75pt;" aria-label="Research (5 items)">Research</a>
<a href="https://decoded.avast.io/tag/reversing/" class="tag-cloud-link tag-link-45 tag-link-position-33" style="font-size: 17.375pt;" aria-label="reversing (16 items)">reversing</a>
<a href="https://decoded.avast.io/tag/risk/" class="tag-cloud-link tag-link-138 tag-link-position-34" style="font-size: 9.5pt;" aria-label="risk (3 items)">risk</a>
<a href="https://decoded.avast.io/tag/rootkit/" class="tag-cloud-link tag-link-126 tag-link-position-35" style="font-size: 9.5pt;" aria-label="rootkit (3 items)">rootkit</a>
<a href="https://decoded.avast.io/tag/router/" class="tag-cloud-link tag-link-25 tag-link-position-36" style="font-size: 9.5pt;" aria-label="router (3 items)">router</a>
<a href="https://decoded.avast.io/tag/security/" class="tag-cloud-link tag-link-54 tag-link-position-37" style="font-size: 9.5pt;" aria-label="security (3 items)">security</a>
<a href="https://decoded.avast.io/tag/series/" class="tag-cloud-link tag-link-113 tag-link-position-38" style="font-size: 16.75pt;" aria-label="series (14 items)">series</a>
<a href="https://decoded.avast.io/tag/stealer/" class="tag-cloud-link tag-link-36 tag-link-position-39" style="font-size: 13.25pt;" aria-label="stealer (7 items)">stealer</a>
<a href="https://decoded.avast.io/tag/takedown/" class="tag-cloud-link tag-link-50 tag-link-position-40" style="font-size: 8pt;" aria-label="takedown (2 items)">takedown</a>
<a href="https://decoded.avast.io/tag/threat-intel/" class="tag-cloud-link tag-link-11 tag-link-position-41" style="font-size: 8pt;" aria-label="threat-intel (2 items)">threat-intel</a>
<a href="https://decoded.avast.io/tag/threats/" class="tag-cloud-link tag-link-137 tag-link-position-42" style="font-size: 9.5pt;" aria-label="threats (3 items)">threats</a>
<a href="https://decoded.avast.io/tag/vb/" class="tag-cloud-link tag-link-108 tag-link-position-43" style="font-size: 11.75pt;" aria-label="VB (5 items)">VB</a>
<a href="https://decoded.avast.io/tag/vulnerability/" class="tag-cloud-link tag-link-12 tag-link-position-44" style="font-size: 11.75pt;" aria-label="vulnerability (5 items)">vulnerability</a>
<a href="https://decoded.avast.io/tag/worm/" class="tag-cloud-link tag-link-49 tag-link-position-45" style="font-size: 8pt;" aria-label="worm (2 items)">worm</a></div>
</div></div>
		<div id="recent-posts-2" class="widget widget_recent_entries"><div class="widget-inside johannes-bg-alt-2">
		<h4 class="widget-title">Recent Posts</h4>
		<ul>
											<li>
					<a href="https://decoded.avast.io/janvojtesek/the-return-of-candiru-zero-days-in-the-middle-east/">The Return of Candiru: Zero-days in the Middle East</a>
									</li>
											<li>
					<a href="https://decoded.avast.io/davidalvarez/go-malware-on-the-rise/">Go malware on the rise</a>
									</li>
											<li>
					<a href="https://decoded.avast.io/davidalvarez/linux-threat-hunting-syslogk-a-kernel-rootkit-found-under-development-in-the-wild/" aria-current="page">Linux Threat Hunting: &#8216;Syslogk&#8217; a kernel rootkit found under development in the wild</a>
									</li>
											<li>
					<a href="https://decoded.avast.io/threatresearch/decrypted-tarrak-ransomware/">Decrypted: TaRRaK Ransomware</a>
									</li>
											<li>
					<a href="https://decoded.avast.io/threatintel/outbreak-of-follina-in-australia/">Outbreak of Follina in Australia</a>
									</li>
					</ul>

		</div></div><div id="archives-2" class="widget widget_archive"><div class="widget-inside johannes-bg-alt-2"><h4 class="widget-title">Archive</h4>
			<ul>
					<li><a href='https://decoded.avast.io/2022/07/'>July 2022</a></li>
	<li><a href='https://decoded.avast.io/2022/06/'>June 2022</a></li>
	<li><a href='https://decoded.avast.io/2022/05/'>May 2022</a></li>
	<li><a href='https://decoded.avast.io/2022/04/'>April 2022</a></li>
	<li><a href='https://decoded.avast.io/2022/03/'>March 2022</a></li>
	<li><a href='https://decoded.avast.io/2022/02/'>February 2022</a></li>
	<li><a href='https://decoded.avast.io/2022/01/'>January 2022</a></li>
	<li><a href='https://decoded.avast.io/2021/12/'>December 2021</a></li>
	<li><a href='https://decoded.avast.io/2021/11/'>November 2021</a></li>
	<li><a href='https://decoded.avast.io/2021/10/'>October 2021</a></li>
	<li><a href='https://decoded.avast.io/2021/09/'>September 2021</a></li>
	<li><a href='https://decoded.avast.io/2021/08/'>August 2021</a></li>
	<li><a href='https://decoded.avast.io/2021/07/'>July 2021</a></li>
	<li><a href='https://decoded.avast.io/2021/06/'>June 2021</a></li>
	<li><a href='https://decoded.avast.io/2021/05/'>May 2021</a></li>
	<li><a href='https://decoded.avast.io/2021/04/'>April 2021</a></li>
	<li><a href='https://decoded.avast.io/2021/03/'>March 2021</a></li>
	<li><a href='https://decoded.avast.io/2021/02/'>February 2021</a></li>
	<li><a href='https://decoded.avast.io/2020/12/'>December 2020</a></li>
	<li><a href='https://decoded.avast.io/2020/11/'>November 2020</a></li>
	<li><a href='https://decoded.avast.io/2020/10/'>October 2020</a></li>
	<li><a href='https://decoded.avast.io/2020/09/'>September 2020</a></li>
	<li><a href='https://decoded.avast.io/2020/08/'>August 2020</a></li>
	<li><a href='https://decoded.avast.io/2020/06/'>June 2020</a></li>
	<li><a href='https://decoded.avast.io/2020/05/'>May 2020</a></li>
	<li><a href='https://decoded.avast.io/2020/04/'>April 2020</a></li>
	<li><a href='https://decoded.avast.io/2019/12/'>December 2019</a></li>
	<li><a href='https://decoded.avast.io/2019/09/'>September 2019</a></li>
	<li><a href='https://decoded.avast.io/2019/08/'>August 2019</a></li>
	<li><a href='https://decoded.avast.io/2019/07/'>July 2019</a></li>
	<li><a href='https://decoded.avast.io/2019/04/'>April 2019</a></li>
	<li><a href='https://decoded.avast.io/2019/03/'>March 2019</a></li>
	<li><a href='https://decoded.avast.io/2019/02/'>February 2019</a></li>
	<li><a href='https://decoded.avast.io/2019/01/'>January 2019</a></li>
	<li><a href='https://decoded.avast.io/2018/08/'>August 2018</a></li>
	<li><a href='https://decoded.avast.io/2018/01/'>January 2018</a></li>
	<li><a href='https://decoded.avast.io/2017/10/'>October 2017</a></li>
			</ul>

			</div></div><div id="meta-2" class="widget widget_meta"><div class="widget-inside johannes-bg-alt-2"><h4 class="widget-title">Meta</h4>
		<ul>
						<li><a rel="nofollow" href="https://decoded.avast.io/wp-login.php">Log in</a></li>
			<li><a href="https://decoded.avast.io/feed/">Entries feed</a></li>
			<li><a href="https://decoded.avast.io/comments/feed/">Comments feed</a></li>

			<li><a href="https://wordpress.org/">WordPress.org</a></li>
		</ul>

		</div></div>    
</div>
<script type='text/javascript' src='https://decoded.avast.io/wp-content/plugins/guest-author-name/assets/guest-author-post.js?ver=1.00' id='guest_author_post_scripts-js'></script>
<script type='text/javascript' src='https://decoded.avast.io/wp-includes/js/imagesloaded.min.js?ver=4.1.4' id='imagesloaded-js'></script>
<script type='text/javascript' src='https://decoded.avast.io/wp-includes/js/masonry.min.js?ver=4.2.2' id='masonry-js'></script>
<script type='text/javascript' src='https://decoded.avast.io/wp-includes/js/jquery/jquery.masonry.min.js?ver=3.1.2b' id='jquery-masonry-js'></script>
<script type='text/javascript' id='johannes-main-js-extra'>
/* <![CDATA[ */
var johannes_js_settings = {"rtl_mode":"","header_sticky":"","header_sticky_offset":"300","header_sticky_up":"","popup":"1","go_to_top":"1","grid":{"column":50,"gutter":{"xs":15,"sm":15,"md":30,"lg":30,"xl":48},"breakpoint":{"xs":0,"sm":374,"md":600,"lg":900,"xl":1128}}};
/* ]]> */
</script>
<script type='text/javascript' src='https://decoded.avast.io/wp-content/themes/johannes/assets/js/min.js?ver=1.1.3' id='johannes-main-js'></script>
<script type='text/javascript' src='https://decoded.avast.io/wp-content/plugins/meks-easy-social-share/assets/js/main.js?ver=1.2.7' id='meks_ess-main-js'></script>
<script type='text/javascript' src='https://decoded.avast.io/wp-content/plugins/page-links-to/dist/new-tab.js?ver=3.3.6' id='page-links-to-js'></script>
<script type="text/javascript">(function (undefined) {var _localizedStrings={"redirect_overlay_title":"Hold On","redirect_overlay_text":"You are being redirected to another page,<br>it may take a few seconds."};var _targetWindow="prefer-popup";var _redirectOverlay="overlay-with-spinner-and-message";
window.NSLPopup = function (url, title, w, h) {
    var userAgent = navigator.userAgent,
        mobile = function () {
            return /\b(iPhone|iP[ao]d)/.test(userAgent) ||
                /\b(iP[ao]d)/.test(userAgent) ||
                /Android/i.test(userAgent) ||
                /Mobile/i.test(userAgent);
        },
        screenX = window.screenX !== undefined ? window.screenX : window.screenLeft,
        screenY = window.screenY !== undefined ? window.screenY : window.screenTop,
        outerWidth = window.outerWidth !== undefined ? window.outerWidth : document.documentElement.clientWidth,
        outerHeight = window.outerHeight !== undefined ? window.outerHeight : document.documentElement.clientHeight - 22,
        targetWidth = mobile() ? null : w,
        targetHeight = mobile() ? null : h,
        V = screenX < 0 ? window.screen.width + screenX : screenX,
        left = parseInt(V + (outerWidth - targetWidth) / 2, 10),
        right = parseInt(screenY + (outerHeight - targetHeight) / 2.5, 10),
        features = [];
    if (targetWidth !== null) {
        features.push('width=' + targetWidth);
    }
    if (targetHeight !== null) {
        features.push('height=' + targetHeight);
    }
    features.push('left=' + left);
    features.push('top=' + right);
    features.push('scrollbars=1');

    var newWindow = window.open(url, title, features.join(','));

    if (window.focus) {
        newWindow.focus();
    }

    return newWindow;
};

var isWebView = null;

function checkWebView() {
    if (isWebView === null) {
        function _detectOS(ua) {
            if (/Android/.test(ua)) {
                return "Android";
            } else if (/iPhone|iPad|iPod/.test(ua)) {
                return "iOS";
            } else if (/Windows/.test(ua)) {
                return "Windows";
            } else if (/Mac OS X/.test(ua)) {
                return "Mac";
            } else if (/CrOS/.test(ua)) {
                return "Chrome OS";
            } else if (/Firefox/.test(ua)) {
                return "Firefox OS";
            }
            return "";
        }

        function _detectBrowser(ua) {
            var android = /Android/.test(ua);

            if (/Opera Mini/.test(ua) || / OPR/.test(ua) || / OPT/.test(ua)) {
                return "Opera";
            } else if (/CriOS/.test(ua)) {
                return "Chrome for iOS";
            } else if (/Edge/.test(ua)) {
                return "Edge";
            } else if (android && /Silk\//.test(ua)) {
                return "Silk";
            } else if (/Chrome/.test(ua)) {
                return "Chrome";
            } else if (/Firefox/.test(ua)) {
                return "Firefox";
            } else if (android) {
                return "AOSP";
            } else if (/MSIE|Trident/.test(ua)) {
                return "IE";
            } else if (/Safari\//.test(ua)) {
                return "Safari";
            } else if (/AppleWebKit/.test(ua)) {
                return "WebKit";
            }
            return "";
        }

        function _detectBrowserVersion(ua, browser) {
            if (browser === "Opera") {
                return /Opera Mini/.test(ua) ? _getVersion(ua, "Opera Mini/") :
                    / OPR/.test(ua) ? _getVersion(ua, " OPR/") :
                        _getVersion(ua, " OPT/");
            } else if (browser === "Chrome for iOS") {
                return _getVersion(ua, "CriOS/");
            } else if (browser === "Edge") {
                return _getVersion(ua, "Edge/");
            } else if (browser === "Chrome") {
                return _getVersion(ua, "Chrome/");
            } else if (browser === "Firefox") {
                return _getVersion(ua, "Firefox/");
            } else if (browser === "Silk") {
                return _getVersion(ua, "Silk/");
            } else if (browser === "AOSP") {
                return _getVersion(ua, "Version/");
            } else if (browser === "IE") {
                return /IEMobile/.test(ua) ? _getVersion(ua, "IEMobile/") :
                    /MSIE/.test(ua) ? _getVersion(ua, "MSIE ")
                        :
                        _getVersion(ua, "rv:");
            } else if (browser === "Safari") {
                return _getVersion(ua, "Version/");
            } else if (browser === "WebKit") {
                return _getVersion(ua, "WebKit/");
            }
            return "0.0.0";
        }

        function _getVersion(ua, token) {
            try {
                return _normalizeSemverString(ua.split(token)[1].trim().split(/[^\w\.]/)[0]);
            } catch (o_O) {
            }
            return "0.0.0";
        }

        function _normalizeSemverString(version) {
            var ary = version.split(/[\._]/);
            return (parseInt(ary[0], 10) || 0) + "." +
                (parseInt(ary[1], 10) || 0) + "." +
                (parseInt(ary[2], 10) || 0);
        }

        function _isWebView(ua, os, browser, version, options) {
            switch (os + browser) {
                case "iOSSafari":
                    return false;
                case "iOSWebKit":
                    return _isWebView_iOS(options);
                case "AndroidAOSP":
                    return false;
                case "AndroidChrome":
                    return parseFloat(version) >= 42 ? /; wv/.test(ua) : /\d{2}\.0\.0/.test(version) ? true : _isWebView_Android(options);
            }
            return false;
        }

        function _isWebView_iOS(options) {
            var document = (window["document"] || {});

            if ("WEB_VIEW" in options) {
                return options["WEB_VIEW"];
            }
            return !("fullscreenEnabled" in document || "webkitFullscreenEnabled" in document || false);
        }

        function _isWebView_Android(options) {
            if ("WEB_VIEW" in options) {
                return options["WEB_VIEW"];
            }
            return !("requestFileSystem" in window || "webkitRequestFileSystem" in window || false);
        }

        var options = {};
        var nav = window.navigator || {};
        var ua = nav.userAgent || "";
        var os = _detectOS(ua);
        var browser = _detectBrowser(ua);
        var browserVersion = _detectBrowserVersion(ua, browser);

        isWebView = _isWebView(ua, os, browser, browserVersion, options);
    }

    return isWebView;
}

function isAllowedWebViewForUserAgent(provider) {
    var googleAllowedWebViews = [
        'Instagram',
        'FBAV',
        'FBAN',
        'Line',
    ], facebookAllowedWebViews = [
        'Instagram',
        'FBAV',
        'FBAN'
    ], whitelist = [];

    switch (provider) {
        case 'facebook':
            whitelist = facebookAllowedWebViews;
            break;
        case 'google':
            whitelist = googleAllowedWebViews;
            break;
    }

    var nav = window.navigator || {};
    var ua = nav.userAgent || "";

    if (whitelist.length && ua.match(new RegExp(whitelist.join('|')))) {
        return true;
    }

    return false;
}

window._nslDOMReady(function () {

    window.nslRedirect = function (url) {
        if (_redirectOverlay) {
            var overlay = document.createElement('div');
            overlay.id = "nsl-redirect-overlay";
            var overlayHTML = '',
                overlayContainer = "<div id='nsl-redirect-overlay-container'>",
                overlayContainerClose = "</div>",
                overlaySpinner = "<div id='nsl-redirect-overlay-spinner'></div>",
                overlayTitle = "<p id='nsl-redirect-overlay-title'>" + _localizedStrings.redirect_overlay_title + "</p>",
                overlayText = "<p id='nsl-redirect-overlay-text'>" + _localizedStrings.redirect_overlay_text + "</p>";

            switch (_redirectOverlay) {
                case "overlay-only":
                    break;
                case "overlay-with-spinner":
                    overlayHTML = overlayContainer + overlaySpinner + overlayContainerClose;
                    break;
                default:
                    overlayHTML = overlayContainer + overlaySpinner + overlayTitle + overlayText + overlayContainerClose;
                    break;
            }

            overlay.insertAdjacentHTML("afterbegin", overlayHTML);
            document.body.appendChild(overlay);
        }

        window.location = url;
    };

    var targetWindow = _targetWindow || 'prefer-popup',
        lastPopup = false;


    var buttonLinks = document.querySelectorAll(' a[data-plugin="nsl"][data-action="connect"], a[data-plugin="nsl"][data-action="link"]');
    buttonLinks.forEach(function (buttonLink) {
        buttonLink.addEventListener('click', function (e) {
            if (lastPopup && !lastPopup.closed) {
                e.preventDefault();
                lastPopup.focus();
            } else {

                var href = this.href,
                    success = false;
                if (href.indexOf('?') !== -1) {
                    href += '&';
                } else {
                    href += '?';
                }

                var redirectTo = this.dataset.redirect;
                if (redirectTo === 'current') {
                    href += 'redirect=' + encodeURIComponent(window.location.href) + '&';
                } else if (redirectTo && redirectTo !== '') {
                    href += 'redirect=' + encodeURIComponent(redirectTo) + '&';
                }

                if (targetWindow !== 'prefer-same-window' && checkWebView()) {
                    targetWindow = 'prefer-same-window';
                }

                if (targetWindow === 'prefer-popup') {
                    lastPopup = NSLPopup(href + 'display=popup', 'nsl-social-connect', this.dataset.popupwidth, this.dataset.popupheight);
                    if (lastPopup) {
                        success = true;
                        e.preventDefault();
                    }
                } else if (targetWindow === 'prefer-new-tab') {
                    var newTab = window.open(href + 'display=popup', '_blank');
                    if (newTab) {
                        if (window.focus) {
                            newTab.focus();
                        }
                        success = true;
                        e.preventDefault();
                    }
                }

                if (!success) {
                    window.location = href;
                    e.preventDefault();
                }
            }
        });
    });

    let hasWebViewLimitation = false;

    var googleLoginButtons = document.querySelectorAll(' a[data-plugin="nsl"][data-provider="google"]');
    if (googleLoginButtons.length && checkWebView() && !isAllowedWebViewForUserAgent('google')) {
        googleLoginButtons.forEach(function (googleLoginButton) {
            googleLoginButton.remove();
            hasWebViewLimitation = true;
        });
    }

    var facebookLoginButtons = document.querySelectorAll(' a[data-plugin="nsl"][data-provider="facebook"]');
    if (facebookLoginButtons.length && checkWebView() && /Android/.test(window.navigator.userAgent) && !isAllowedWebViewForUserAgent('facebook')) {
        facebookLoginButtons.forEach(function (facebookLoginButton) {
            facebookLoginButton.remove();
            hasWebViewLimitation = true;
        });
    }


    const separators = document.querySelectorAll('div.nsl-separator');
    if (hasWebViewLimitation && separators.length) {
        separators.forEach(function (separator) {
            let separatorParentNode = separator.parentNode;
            if (separatorParentNode) {
                const separatorButtonContainer = separatorParentNode.querySelector('div.nsl-container-buttons');
                if (separatorButtonContainer && !separatorButtonContainer.hasChildNodes()) {
                    separator.remove();
                }
            }
        })
    }
});})();</script></body>

</html>